minion-fetch

SUSPICIOUS. The stated purpose matches URL fetching, but the skill relies on an unverifiable, unpinned `npx` package whose publisher/source relationship could not be confirmed. It also enables fetching arbitrary untrusted content with optional processing, which is broader and riskier than a tightly scoped retrieval skill. No direct credential harvesting or malicious exfiltration endpoint is shown, but installer trust and external-content handling make this a high security-risk skill.