ctx-upgrade

SUSPICIOUS: the skill's purpose and capabilities mostly align, and external evidence supports that the GitHub/npm upgrade flow belongs to the same project. However, it instructs the agent to run an opaque shell command from an MCP tool and to apply unpinned GitHub-sourced updates that modify global npm state and hooks, creating meaningful execution and supply-chain risk.