skill-discovery

SUSPICIOUS: the stated discovery purpose is plausible, but the default auto-import of remote community skills and instruction to read/follow imported SKILL.md files creates a transitive trust and prompt-injection supply-chain risk disproportionate to simple discovery. Lack of verifiable provenance, signing, or endpoint transparency keeps risk elevated even without explicit malware behavior.