nv-context

SUSPICIOUS: the skill’s capabilities mostly match its stated context-engineering purpose, but its footprint is broad and persistent. The main concerns are transitive installation through a third-party CLI, personal-repo provenance, repo-wide inspection of untrusted content, and automatic creation of hooks/workflows that can influence future actions. No clear credential theft or off-platform exfiltration is described, so this is not confirmed malware.