hn-to-x-poster

SUSPICIOUS: The skill is coherent with its stated purpose and uses official first-party sites plus an apparently official browser-control tool, so it is not credential-harvesting malware. However, it enables automatic public posting from an already logged-in social account after consuming untrusted web content, which is a high-risk autonomous action for an AI agent even without obvious exfiltration.