add-integration

SUSPICIOUS: The skill’s purpose is coherent, but it materially increases risk by discovering arbitrary third-party MCP packages and executing them via npx while supplying service credentials through environment variables. Data flows are mostly aligned with the integration goal and use official npm/MCP patterns, so this is not confirmed malware, but the package-selection and credential-forwarding model creates medium-high supply-chain risk.