google

SUSPICIOUS. The skill’s purpose and capabilities mostly align for a local Google OAuth/OIDC emulator, and data flows are local rather than obviously exfiltrative. The main concern is install trust: it runs an unpinned npm package (`npx emulate`) whose official publisher/source relationship was not verified in the provided evidence, while also handling OAuth client secrets. This is more consistent with supply-chain risk than confirmed malware.