eve-bootstrap

SUSPICIOUS. The skill’s onboarding actions are mostly consistent with its stated purpose, and the npm install path appears proportionate. However, it explicitly redirects the Eve CLI to a custom staging/dev API domain for auth and project operations, which weakens data-flow integrity and makes the trust relationship unclear. Risk is moderate rather than malicious because the capabilities largely fit onboarding and there is no clear credential theft or covert behavior.