orderly-plugin-add

SUSPICIOUS: the core purpose is coherent, but the skill relies on an unverified `orderly-devkit view` command and explicitly defers to plugin-authored `usagePrompt` instructions, creating indirect prompt-injection and supply-chain risk. No direct credential harvesting or exfiltration is present, so this is not malicious, but it exceeds low-risk documentation behavior.