publish-html-page

This skill's stated purpose — uploading assets to a project asset service and publishing lightweight HTML pages — is coherent and the flows described match the purpose. The primary security concerns are operational: the workflow recommends executing a local script discovered in the agent/plugin cache (bash "$SCRIPT" upload), and encourages installing/invoking other skills. Both patterns introduce transitive trust and enable execution of unverified code on the host. The remote endpoints (assets.yesy.site and page.yesy.site) centralize user content; while they appear legitimate internal services, they represent a single collection point for uploads and published HTML. There is no explicit credential harvesting or obfuscated/malicious code in the provided document, but the local script execution and transitive skill installations raise the overall risk to medium. Recommend: avoid blindly executing discovered local scripts without verification/pinning, require user consent before installing or invoking other skills, and document credential usage and data retention for the asset and page endpoints.