cli-hub-meta-skill

SUSPICIOUS. The stated purpose matches a CLI marketplace, but the trust model is weak: a mutable off-domain catalog drives transitive installation of many downstream packages with broad, hard-to-bound capabilities. No direct credential theft is shown, yet the package-manager/meta-installer pattern makes this higher-risk than a normal documentation skill.