component-gen

SUSPICIOUS. The stated purpose is coherent for a component-generation skill, but the trust chain is incomplete: it asks the agent to run an external `npx` package and provide `OPENAI_API_KEY` without enough evidence here that the package is official, published by the claimed org, or safely documented. If `ai-component` is not verifiably the same publisher's official npm package, this becomes credential forwarding to third-party code and materially raises risk.