claude-code-showcase

SUSPICIOUS: the skill’s purpose is coherent, but its trust boundary is not. Local hooks and Claude Code project setup are proportionate, yet the examples forward multiple secrets into npx-installed packages whose Anthropic ownership could not be verified, and some package names appear inconsistent with Anthropic’s official docs. Scheduled GitHub Actions also enable autonomous commenting and auto-committing. Main risk is supply-chain and credential forwarding, not confirmed malware.