pp-dub

The skill is broadly aligned with its stated Dub-management purpose, and the install sources are same-publisher and publicly verifiable rather than obviously deceptive. Risk comes from relying on external CLIs, mutable installer targets, optional arbitrary webhook delivery, and installation of an additional MCP server; these make it better classified as suspicious/medium-risk rather than benign, but not confirmed malicious.