codemap

SUSPICIOUS: the core code-search purpose is plausible, but the skill goes beyond that by silently modifying Claude permission settings and broadening persistent Bash access. The npm install path is less concerning than raw-script installers, yet package provenance for `@ulpi/codemap` was not independently verified here. Main risk is stealthy permission escalation, not confirmed malware.