scorecard

SUSPICIOUS: the stated purpose is legitimate, but the skill routes users to a third-party X-CMD wrapper instead of the official OpenSSF Scorecard tooling. The main risk is supply-chain and transitive trust from remote-script installation and mediated API access, not confirmed malicious behavior.