resume

SUSPICIOUS: the skill’s purpose and behavior mostly align, and there is no direct credential theft or exfiltration pattern. However, it requires an unverified custom MCP dependency and appears to live in a mutable, marketplace-mediated distribution chain; that install/execution trust gap is disproportionate enough to classify it as suspicious rather than benign.