pi-coding-agent

SUSPICIOUS: the skill is largely aligned with its stated purpose as a Pi SDK/extension guide, but it meaningfully expands agent risk by teaching transitive installation and auto-loading of third-party packages/extensions from npm, git, and raw URLs. The main concern is supply-chain and inherited-permission exposure, not confirmed malware or credential theft. The stale package scope is an integrity issue that further reduces trust.