explore-recipes

This Skill manifest is consistent with its stated purpose: it describes how an AI agent can list and fetch ShipSwift recipes via a designated MCP server and explains how to obtain Pro access using an API key. There is no embedded malicious code or obfuscation in the provided text. The primary security considerations are supply-chain and privacy/trust: (1) the npx install step pulls code from the package author (standard but requires trust), (2) the manifest instructs the user to configure their AI tool to route recipe requests to a single third-party MCP endpoint (api.shipswift.app), and (3) the SHIPSWIFT_API_KEY must be trusted and will be forwarded to that service for Pro access. These behaviors are proportionate to the skill's purpose but do expose credentials and potentially project context to the ShipSwift backend. No direct evidence of malware or credential harvesting beyond the intended Pro API usage is present in the fragment provided.