search-first

The skill is conceptually coherent with its stated purpose of guiding a research-before-code workflow and leveraging existing tools before building custom solutions. Its footprint—searching multiple reputable sources, evaluating candidates, and deciding on adoption/wrapping/composition—is proportionate to its purpose. There are no explicit credential accesses, data exfiltration, or remote control actions described. However, the lack of explicit trust vetting procedures for external sources and the potential for introducing third-party dependencies without safeguards introduces moderate security and supply-chain risk. Treat as suspicious if used without strict source vetting, license/compliance checks, and lockfile/version pinning policies; otherwise, it remains Benign with mitigations. Overall, the risk posture is MEDIUM with actionable precautions recommended for source validation and dependency management.