cli-anything-hub

SUSPICIOUS rather than malicious: the hub itself appears to be published through legitimate same-org PyPI/GitHub channels, but its main purpose is to broker installation of many additional CLI packages from a live remote catalog. The verified provenance lowers concern for the base package, yet the marketplace-style transitive install model and broad scope create meaningful supply-chain risk.