build-feature

SUSPICIOUS: The skill is largely coherent with its stated purpose—install sources and the ShipSwift MCP endpoint appear legitimate and same-brand—but it introduces medium risk through transitive skill installation and remote recipe ingestion that can influence code generation. Credential scope is proportionate, and there is no clear exfiltration or malicious mismatch, but the external-content-plus-write capability makes it riskier than a static documentation skill.