vibe-new-app

SUSPICIOUS. The skill largely matches its stated purpose as an app scaffolder, but it relies on unpinned CLI/package execution, forwards an optional Anthropic API key into the CLI, and introduces transitive trust through additional skills/installer references. No clear malicious or exfiltration behavior is shown, but the install and credential-forwarding footprint is broader than low-risk scaffolding.