pp-recipe-goat

SUSPICIOUS: the core recipe/USDA lookup purpose is coherent and the credential scope is proportionate, but install trust is weakened by publisher mismatch and unpinned external CLI/MCP installation. The optional webhook delivery and transitive MCP install raise meaningful security risk, though there is no clear evidence of credential theft or behavior fundamentally incompatible with the stated purpose.