path-traversal-finder

SUSPICIOUS: the stated purpose is a vague security-guidance skill, but its actual footprint includes broad Bash(npm:*) execution that can fetch and run arbitrary npm packages without pinning or publisher constraints. No direct malware or exfiltration is shown, but the capability scope is disproportionate and the security-tooling nature raises risk.