pipes-new-indexer

SUSPICIOUS: The skill’s overall purpose is coherent for blockchain indexer scaffolding, and its database/file actions mostly fit that purpose. The main concern is install trust: the skill published by subsquid relies on an unpinned third-party npm CLI (@iankressin/pipes-cli@latest) without establishing an official publisher relationship, creating medium-high supply-chain risk. Credential handling is proportionate but sensitive, and the mandated external research adds some prompt-injection exposure.