pipes-new-indexer

SUSPICIOUS: the skill is largely coherent as an indexer-scaffolding guide, and its network/data flows mostly target official services. However, its primary dependency is a mutable third-party CLI outside the stated publisher org, executed via npx @latest and manually patched in the npm cache before use; that makes install trust and execution integrity disproportionately risky for a core scaffolding skill. No clear credential theft or exfiltration is present, so this is not confirmed malicious.