botpenguin

SUSPICIOUS. The skill is broadly aligned with its stated purpose and uses a verifiable first-party npm CLI, so it does not look malicious. However, it introduces a third-party intermediary trust boundary for BotPenguin credentials/data and enables consequential messaging actions, making the overall risk medium rather than benign.