skill-builder

SUSPICIOUS: the skill's main purpose is coherent, and its primary dependency appears to be an official PyPI/GitHub project, but it meaningfully expands trust by importing third-party skills and by processing untrusted external content before writing into agent skill directories. The biggest risks are transitive skill installation and prompt-injection-through-content, not confirmed malware.