mcp-grep-code

SUSPICIOUS: the skill’s stated behavior is coherent and its network destination fits the purpose, but it relies on a third-party personal GitHub CLI installed via unpinned `curl|sh`. That installer/binary trust mismatch is disproportionate for a simple code-search skill and creates a high supply-chain risk even without evidence of overt credential theft.