Manifest

This skill is an operational guide to install and configure the Manifest observability plugin. Its capabilities align with its stated purpose. The main security considerations are standard: the user must supply a sensitive API key that will be stored in the local claude configuration and used to send telemetry to an external Manifest endpoint (or a user-specified endpoint). There is no evidence in the provided text of obfuscated code, credential harvesting beyond the intended API key, hidden data exfiltration, or malicious instructions. The primary risks are: (1) trusting the 'claude plugins install' supply chain (transitive trust in the plugin source), (2) potential insecure storage or accidental logging of the API key, and (3) the possibility of the user specifying a malicious custom endpoint. Recommend verifying the provenance of the 'manifest' plugin (signature, registry/source), ensuring secure storage of the API key, and only using trusted endpoints.