http-header-security-audit

SUSPICIOUS: The stated purpose is a benign HTTP header security audit helper, but the skill grants broad Bash(npm:*) execution without any specific trusted package, pinned version, or documented need. There is no clear evidence of malware or credential theft, yet the capability footprint is broader than the purpose and creates meaningful supply-chain and execution risk.