explore-recipes

SUSPICIOUS. The core browsing purpose aligns with the described MCP usage and ShipSwift endpoint, and the API key request is proportionate. The main concern is transitive skill installation via an unpinned `npx skills add` path, which introduces supply-chain and inherited-permission risk even though same-org evidence suggests the target skill is likely legitimate.