wxt-skills

The postinstall script will execute the 'wxt' CLI during install. There is no direct evidence in this package.json of malicious content (no external URLs, no non-registry dependency references), but running a third-party CLI at install time is a potential supply-chain risk because that CLI (or its transitive dependencies) could execute arbitrary code, exfiltrate data, or modify the system. Recommend auditing the 'wxt' package (check its package.json scripts, published files, maintainers, recent changes, and any postinstall behavior), pining to a vetted version, or removing/avoiding automatic postinstall execution if you cannot fully trust the upstream package.