skills-sync

SUSPICIOUS: the stated purpose matches syncing skills, but the footprint is high-risk because it ingests arbitrary remote skill repositories, auto-installs tooling, and converts untrusted SKILL.md content into agent-consumed Cursor rules. No clear evidence of credential theft or overt malware, but the transitive trust and prompt-injection surface make this a high security-risk skill.