research

SUSPICIOUS: the stated purpose is coherent for UX research, but the skill expands trust through unreviewed local skills and an optional preflight script, and it combines broad untrusted-content ingestion with possible shell/local-context access. No direct malware, credential harvesting endpoint, or third-party installer is shown, so this is not malicious on the provided evidence, but it carries medium security risk and high prompt-injection exposure.