atlassian-setup

SUSPICIOUS. The skill's purpose and Atlassian-focused data flows are mostly coherent, but it relies on a third-party `mcp-remote` proxy installed via unpinned `npx @latest`, and that proxy participates in OAuth/token handling. This is not confirmed malware, but it creates meaningful supply-chain and credential-forwarding risk beyond what an official first-party connector would require.