find-skills

SUSPICIOUS: The skill’s stated purpose matches its behavior, and the `skills` CLI appears official to the ecosystem, so this is not confirmed malware. However, it is inherently high-trust: it instructs the agent to discover and install additional third-party skills from broad sources, including non-vetted repos, with global and non-interactive flags. The main risk is transitive skill installation and supply-chain expansion, not direct credential theft or exfiltration in this skill itself.