frontend-dev

SUSPICIOUS: the entry is mostly benign as a catalogue pointer, but its real effect is to steer the agent/user into installing an upstream skill bundle, creating transitive trust and mutable repo-based supply-chain risk. No direct credential theft or malicious execution appears in this file alone, but the install indirection is disproportionate to a simple discovery entry.