fetch-brand-assets

SUSPICIOUS: the core behavior matches a brand-asset fetcher, but trust boundaries are loose. The skill is not harvesting credentials or obviously malicious; risk comes from search-driven remote downloads, third-party asset intermediaries, and unpinned uv/Pillow execution, plus an outdated Clearbit fallback that weakens source integrity.