cometchat-react-react-router

SUSPICIOUS: The skill’s purpose is coherent for CometChat integration, and most data flows stay within CometChat-owned domains. The main issue is trust: it relies on repeated execution of an unpinned remote CLI via `npx @latest`, plus transitive skill installation/use and some external content fetching. This is not confirmed malware, but it carries meaningful supply-chain and agent-action risk.