ESLint Auto-Fixer

SUSPICIOUS: the ESLint autofix purpose is plausible and proportionate, but the actual installation path relies on transitive skill installation from an unverified third-party publisher while claiming eslint/eslint as source. No direct credential theft or exfiltration is evident, so this looks like a supply-chain and trust-boundary issue rather than confirmed malware.