cometchat-react-nextjs

SUSPICIOUS. The skill's purpose and capabilities are mostly coherent for a Next.js CometChat integration, and data flows stay within expected CometChat/GitHub sources. The main issue is install trust: it repeatedly runs an unpinned external CLI (`@latest`) whose official npm/release provenance was not established in the supplied evidence, triggering a high security-risk floor. Additional medium risk comes from transitive skill installation guidance and external content reuse, but there is no strong evidence of credential theft or malicious exfiltration.