hardcoded-credential-finder

SUSPICIOUS: the skill’s stated purpose is benign, but its footprint is not well-scoped because a generic credential-finder guide is given broad Bash(npm:*) execution without any package pinning or provenance constraints. There is no explicit credential theft or exfiltration, so this looks more like overbroad capability and supply-chain risk than malware.