agent-debugger

SUSPICIOUS: the skill’s debugger capabilities largely match its stated purpose, but the install path is the main issue. It relies on an unpinned `npx -y agent-debugger` package whose official npm provenance was not verified in the provided evidence, while also granting broad wildcard Bash access to a tool that can attach to live processes and execute evals. That combination creates high supply-chain and runtime-impact risk without clear evidence of overt malware or credential theft.