add-integration

SUSPICIOUS: The skill’s purpose is coherent, but it asks the agent to discover and run third-party MCP packages via unpinned npx and then forward service credentials to them. That creates a substantial supply-chain and credential-forwarding risk even though the registry source is official npm and the behavior is not clearly malicious.