openspec

SUSPICIOUS: the skill's stated purpose is benign and OpenSpec's own provenance looks legitimate, but the skill unnecessarily replaces the official direct npm/CLI path with the unrelated `x` launcher. That creates a disproportionate supply-chain trust expansion and download-execute risk, though there is no evidence here of credential theft or malicious data exfiltration.