gpc-purchase-orders

SUSPICIOUS. The skill’s capabilities fit its stated purchase-support purpose, but it delegates sensitive billing actions and likely Google service-account credentials to a non-official third-party CLI, and the documented commands appear partially inconsistent with public gpc docs. This looks more like a risky/unverified operational wrapper than malware, with the main concerns being third-party credential forwarding and autonomous refund capability.