agent-package-manager

SUSPICIOUS. The stated purpose matches APM-style repository management, but the skill’s footprint is broader than a simple config helper: it installs/operates an external CLI, fetches remote packages, and performs transitive skill deployment into agent environments. Because the provided installer/publisher evidence is conflicting and not clearly same-org verified, the main concern is supply-chain and transitive trust risk rather than confirmed malware.