infer-upgrade

SUSPICIOUS. The skill is largely coherent with its stated purpose as an Infer updater, but it performs unpinned remote package execution and a transitive skill installation (`npx skills add`) that expands trust beyond a routine local upgrade. No obvious credential theft or exfiltration is present, so this is not malware, but it is a medium-risk maintenance skill that should only be used if the `@inferevents` packages and `infer-events/skills` source are verified as official.