rule-validate

SUSPICIOUS: the skill’s purpose is coherent for maintainer validation, and it does not request credentials or route data to odd endpoints, but it combines write/exec authority with untrusted external content review and runtime execution of a personal third-party npm CLI. Main risk is supply-chain and prompt-injection exposure, not clear malicious intent.