amazon-buy-box

SUSPICIOUS. The skill’s stated purpose and capability scope are benign and proportionate, with no credential requests or exfiltration behavior in the provided content. The main risks are supply-chain and trust-chain related: installation depends on an unpinned `npx` CLI and a transitive skill install, and the documented repo does not match the repo where this skill actually appears. That inconsistency is enough to treat it as suspicious rather than benign, but there is no evidence here of confirmed malicious behavior.