shortcut

SUSPICIOUS. The skill’s purpose mostly matches its Shortcut-management actions, but trust is weakened by dependence on a community CLI, a mismatched npm install instruction, and credential forwarding through third-party client code. There is no clear evidence of malware or off-platform exfiltration, but the install/auth chain is not fully consistent with official Shortcut tooling.