blog-writer

SUSPICIOUS: The core behavior is coherent for a blog-generation skill and there is no direct credential harvesting or exfiltration. Risk comes from two trust boundaries: repo-defined `npm run build` execution and the undocumented third-party `frontend-design` plugin/skill, whose provenance is unclear. Overall this is not malicious on the evidence shown, but it is not fully benign because it expands trust to external or unverified execution surfaces.