datasmith-pg

SUSPICIOUS: the skill’s PostgreSQL guidance is benign and well-aligned, but it includes third-party `npx skills add` instructions that introduce unpinned remote execution and transitive skill-install trust. No credential harvesting, exfiltration, or hidden behavior is evident; the main risk is installer/registry trust, not the SQL content itself.