cadence

SUSPICIOUS: the core Cadence reference content is benign and aligned with its purpose, but the skill also pushes transitive skill installation and a remote MCP on a Railway domain via unpinned `npx` execution. That footprint is somewhat broader than a documentation/reference skill and creates medium supply-chain and data-exposure risk, though there is no clear credential theft or confirmed malicious behavior.