skill-library

SUSPICIOUS: the skill is internally consistent as a package installer, but its core behavior is high-trust transitive installation of agent packages from a personal GitHub repository using mutable remote content and executable utility installs. No clear credential theft or exfiltration is shown, but the supply-chain and inherited-permission risks are substantial.