web-fetch

Based on the provided SKILL.md fragment, this is a legitimate-seeming web-fetch utility whose documented capabilities align with its purpose. There is no evidence in this file of malicious code, credential harvesting, or routing traffic through attacker-controlled intermediaries. The main residual risk is the normal hazard of fetching and writing arbitrary remote content: if the underlying scripts execute or auto-unpack fetched payloads, or if users pipe output into other commands without validation, that could enable malicious outcomes. Without the actual script implementations, I rate this as low-risk but note that downstream behavior of the scripts should be reviewed (especially any archive extraction, subprocess execution, or use of eval) before trusting in sensitive environments.