product-discovery

From the provided manifest alone, there is no direct evidence of malicious payloads or obfuscation. However, the package is configured to execute bundled shell code (scripts/search.sh) with network access and a required secret API key, which creates a realistic risk surface for credential mishandling or unexpected outbound behavior. A full security determination requires inspection of the referenced shell scripts to confirm they only perform intended authenticated API calls and do not log or exfiltrate the API key or perform unauthorized system actions.