draxarp

SUSPICIOUS. The skill’s functionality is broadly consistent with a project-intelligence backend, but trust and data-flow integrity are weak: the Orbit/Draxarp command surface is not publicly verified from official docs, installer provenance is unspecified in-skill, and API tokens are forwarded to an arbitrary configured base_url rather than a pinned official service endpoint. This is not confirmed malware, but it is higher-risk than a normal documentation skill because it grants a preinstalled external CLI broad authenticated write/delete access to remote systems with limited provenance evidence.