install

SUSPICIOUS: the skill's purpose matches its behavior, but it relies on mutable remote content, unpinned npm-executed CLIs, and a postinstall hook that extends agent behavior through transitive trust. This looks more like a risky installer/convenience skill than malware.