pagr

SUSPICIOUS. The core Pagr publishing capability is coherent, but the skill includes a plaintext API key in the remote MCP URL and instructs users to route actions through that endpoint, which is a serious credential-handling and data-flow issue. It also bootstraps additional agent skill/MCP components via unpinned runtime package execution, increasing trust-chain risk beyond simple HTML publishing.