bitbucket-browser-fetch

SUSPICIOUS. The skill’s purpose is coherent, but it achieves it by extracting authenticated Bitbucket cookies through Chrome DevTools and using browser/internal APIs instead of the official API auth path. There is no clear third-party exfiltration or malicious payload, so this is not confirmed malware, but the credential/session handling and remote-debugging dependency create meaningful security risk disproportionate to a normal repository-listing integration.