burp-suite-testing

SUSPICIOUS. The skill is internally consistent and uses an official same-org tool, so this is not deceptive supply-chain behavior. However, it equips an AI agent with explicit offensive security and exploitation capabilities against web targets, including automated scanning and attack payloads, which makes it high risk even without signs of credential exfiltration or malware.