tapestry

SUSPICIOUS: the skill’s core purpose is coherent, and most network/data flows match content extraction. However, it combines arbitrary external content ingestion with Bash+Write privileges, includes an unpinned auto-install path, and references an unclear third-party extractor CLI, creating meaningful supply-chain and prompt-injection risk even without clear evidence of malware or credential theft.