tapestry

SUSPICIOUS: The skill’s purpose broadly matches its extraction-and-planning behavior, and its explicit install path is mostly consistent with legitimate tooling. The main concern is scope: it fetches arbitrary external content and uses Bash plus file-writing to automatically generate outputs, creating medium indirect prompt-injection risk. No credential harvesting, covert exfiltration, or clearly malicious data routing is present.