zentao

SUSPICIOUS: the skill’s capabilities fit its ZenTao-management purpose, but it relies on an unofficial third-party CLI and asks users to provide raw ZenTao credentials to it. The npm distribution path is normal and publicly linked to source, so this is not confirmed malware, but the combination of credential forwarding and transitive skill installation creates medium risk and warrants caution.