stattic

SUSPICIOUS. The skill’s purpose is coherent for a hosting/publishing tool, but the actual trust chain is weak: the named CLI could not be matched to verified official command docs, and the `$STATTIC_CLI_BIN` fallback allows any local executable to receive publish inputs and auth tokens. Because an unverifiable binary may handle credentials and file uploads, the skill carries high supply-chain risk even without direct evidence of malicious intent.