freshworks-fdk-setup-skill

The skill's stated purpose (managing FDK lifecycle) is coherent with the commands it describes, but its operational design raises significant supply-chain and autonomy risks. Key concerns: it mandates automated, immediate spawning of shell subagents that run download-and-execute commands (curl | bash) and install remote tarballs from a CDN without user approval or package verification. It also modifies user shell configuration files and encourages privilege escalation when installation errors occur. These patterns make the skill SUSPICIOUS for automated execution in environments where users or operators expect reviewed, consented changes. If used, require human confirmation, limit subagent privileges, avoid curl|bash, prefer pinned, signed releases, and present diffs of any shell-profile changes before applying them.