pp-recipe-goat

SUSPICIOUS: the stated purpose is coherent and mostly read-only, but the skill expands trust to external binaries installed via npx/go without supplied verification evidence, supports arbitrary webhook delivery of output, and optionally installs an MCP server that increases agent-side trust. Credentials requested are proportionate, so this is not clearly malicious, but the install and data-delivery footprint is broader than a simple recipe lookup helper.