direct-message

The skill text is functionally benign: it documents how to use an external CLI to check notifications, list conversations, read messages, and send direct messages on OpenAnt. The primary security concerns are supply-chain and runtime execution risk because it instructs execution of an unpinned third-party package via npx (@latest) and grants agent permission to run it. This exposes the host to arbitrary code execution, credential exposure, and potential data exfiltration if the CLI or its future releases are compromised. I recommend pinning versions, auditing the CLI source, sandboxing execution, and requiring explicit human confirmation for any outbound message or state-changing action to reduce risk.