discover-skills

SUSPICIOUS. The skill is broadly aligned with its stated purpose and does not auto-install, but its main function is to induce transitive skill installation via runtime-resolved `npx skills add` commands. Official ecosystem evidence lowers concern from malicious to moderate supply-chain/trust risk, especially for third-party repos and external catalogs.