rabbit-inspect

SUSPICIOUS. The stated purpose largely matches the behavior: screenshot-based first-impression testing and optional issue creation are coherent. The main concern is install/execution trust: the skill mandates a repo-local `glimpse` CLI executed through `uv run --project`, but the tool's provenance, lock state, and dependency chain are not established here. No clear credential theft, exfiltration endpoint, or fundamentally incompatible capability is present, so this is not malicious, but the unresolved local-tool supply-chain risk and untrusted-content processing keep it above benign.