find-skills

SUSPICIOUS: the stated purpose is coherent, and the `skills` CLI appears to be the official same-project tool, so this is not malware by itself. However, the skill’s core function is to discover and install third-party skills via unpinned `npx` commands, creating meaningful transitive supply-chain risk that is disproportionate to a simple recommendation workflow.