speak-upgrade-migration

SUSPICIOUS: The skill’s stated purpose mostly matches its actions, and there is no clear credential theft or exfiltration behavior. The main issue is install trust: it upgrades an npm package that was not verifiably tied to official Speak developer documentation in the supplied evidence, and it uses an unpinned `@latest` version. Extra `curl` permission is unnecessary but not exercised. Overall this looks like a plausible migration skill with medium supply-chain risk rather than confirmed malicious behavior.