social-card-gen

SUSPICIOUS. The skill's stated purpose is coherent, and its requested inputs are mostly proportionate, but the install/execution path is weaker than the description suggests: it runs an unverified npm package via npx and forwards an API key to that external code without showing official package ownership or endpoint details. This looks more like a supply-chain and credential-forwarding risk than confirmed malicious behavior.