curate-a-team-library

SUSPICIOUS: the stated purpose is coherent, but the skill’s main function is to execute an npm-resolved CLI and install/import additional skills from upstream sources, creating meaningful supply-chain and transitive-trust risk. No clear credential harvesting or exfiltration is present, so this is not confirmed malware.