xget

SUSPICIOUS: the skill is broadly consistent with its stated Xget integration purpose, and there is no strong malware signal or unverified binary install. However, it routes Git/package/container/API traffic through an intermediary Xget domain and encourages direct persistent configuration changes; for inference APIs this can forward credentials and requests to a third-party proxy rather than official endpoints, making the skill medium-to-high risk despite being purpose-aligned.