trae-skill-finder

The skill is a minimal wrapper that modifies install commands by adding a Trae-specific agent flag based on the presence of ~/.trae or ~/.trae-cn. There is no direct malicious code, hardcoded credentials, or network exfiltration in this file. The real risk is transitive: it delegates installs to find-skills which runs npx to install third-party packages globally. That install-execute pattern is an inherent supply-chain risk (untrusted packages can execute arbitrary code). The filesystem probes for Trae directories are limited but constitute environment fingerprinting. Overall: not directly malicious, but medium security risk because it enables global installation of third-party skills and contributes to a transitive supply-chain attack surface.