stream-builder

SUSPICIOUS: the main build/scaffold behavior aligns with the stated Stream app-builder purpose and uses mostly legitimate ecosystems, but the skill overreaches by auto-installing peer skills, optionally installing third-party skills from mutable GitHub branches, and pushing network/auth actions with minimal confirmation. This looks more like an aggressive automation skill than confirmed malware, but its transitive trust model and broad execution scope materially raise risk.