expect

SUSPICIOUS. The skill's core behavior is coherent for diff-aware UI testing, but its trust story is inconsistent: it forwards execution to an external browser automation dependency, uses npx remote execution, and names an Anthropic-scoped install path that does not match the publicly verifiable agent-browser publisher evidence. Scope and data flows are mostly proportionate to testing, so this looks more like a vulnerable/transitively risky skill than confirmed malware.

No direct malicious payload is evident in this CI/workflow/hook snippet alone. However, it materially increases supply-chain/behavioral risk by (1) installing and running Claude Code and the ork plugin at workflow time from unpinned sources (floating @latest / unpinned plugin), and (2) executing an agent-style workflow automatically with a live ANTHROPIC_API_KEY in CI and on developer pre-push. Additionally, failure-path artifact upload of screenshots/recordings can unintentionally expose sensitive UI content. Pin versions, verify plugin/tool provenance, limit API key scope/permissions, and review what the agent captures and writes to .expect/.