press-release-writing

The package/content is an innocuous editorial/template tool for press releases, but the recommended workflow introduces moderate-to-high supply-chain and privacy risks: a curl|sh installer executing binaries from a custom host, mandatory login that forwards credentials to a remote backend, transitive npx installs, and broad shell execution capability via allowed-tools. These patterns could enable credential theft, arbitrary code execution, or data exfiltration if the distribution or skill endpoints are compromised. Recommend avoiding pipe-to-shell installs, verifying releases via strong cryptographic signatures, reducing required privileges (avoid granting broad shell execution), and clearly warning users not to paste confidential data into remote tools. Treat usage as acceptable only after verifying the distribution and backend security posture.