pp-company-goat

Mostly coherent as a read-only company-research skill, and its optional credentials broadly match the stated purpose. The main concerns are trust in externally installed binaries from a namespace that does not match the listed author, mutable @latest installs, and built-in arbitrary webhook delivery/optional feedback posting that create extra exfiltration paths. Overall this is better classified as suspicious-by-caution than malicious.