mcp-light-generator

The skill is mostly aligned with its stated purpose, but it introduces medium risk by generating and installing a secondary Skill and by proxying an arbitrary upstream MCP package through unpinned `npx` execution. No clear credential theft or exfiltration is present, so this is better classified as suspicious/vulnerable than malicious.