trapiche-deploy

The skill's stated purpose (anonymous static-site deployment and returning a temporary URL) is coherent with the actions it prescribes (check/install CLI, run deploy, return URL). However, the required install step uses an unpinned curl | bash pipeline and the workflow uploads local project files to a third-party service that performs remote builds. These are legitimate patterns for many deploy tools but they carry non-trivial supply-chain and data-exfiltration risks: executing remote installer code locally, granting transitive trust to a third-party CLI, and uploading source (which may include secrets) to an external service. If the Trapiche service is trusted and the install script is audited and delivered with integrity checks, the workflow is acceptable; otherwise it is suspicious. Recommend treating this skill as medium-high risk: avoid running the curl|bash installer without auditing the script and avoid uploading repositories that may contain secrets. Require integrity (signed/pinned installer) or use a manually installed/trusted CLI binary before proceeding.