third-party-skills

SUSPICIOUS: the skill is internally consistent as a third-party catalog, but its main purpose is to install other unreviewed skills from external publishers. The official CLI provenance lowers concern versus arbitrary download-execute, yet the transitive trust chain, unpinned `npx` execution, and bulk installation behavior make this a meaningful supply-chain risk.