mindmap

该 skill 的功能范围与“生成思维导图”总体一致，未见明显凭据窃取或异常数据外传。主要风险来自未提供的 bootstrap.md 使实际安装/修复链路不可核验，以及对第三方个人发布 MCP 服务的依赖；因此更适合判定为可疑但非恶意。

This module is a user-level bootstrapper that installs (or runs via npx) and registers a specific MCP server package with claude/codex/opencode. No explicit malicious behavior (exfiltration, credential theft, backdoors, or obfuscation) is evident in the fragment; however, it directly downloads and executes a remote npm package without visible version/integrity pinning here. The main risk is supply-chain compromise leading to code execution when the bootstrap runs.