bring-shopping

SUSPICIOUS. The skill’s shopping-list actions match its stated purpose, but it depends on an unofficial third-party library and passes full account email/password credentials into that code. The install path is ordinary npm, not a raw malware-style downloader, yet the credential model and unofficial integration make the trust boundary disproportionate versus an official API-based skill.