plugin-lifecycle

SUSPICIOUS: the skill’s capabilities mostly match its stated plugin-lifecycle purpose, but it expands trust through transitive skill loading and repeated unpinned `uvx ...@latest` execution. Data flows and file access are otherwise coherent with plugin development, and there is no clear credential harvesting or exfiltration behavior.