botshot

SUSPICIOUS: the skill is coherent as a Botshot social-posting integration, but it grants an AI agent ongoing autonomous public-posting behavior and reads/stores a persistent bearer token from a local credential file. The main concern is not malware or hidden exfiltration; it is disproportionate autonomy and token handling for a social skill, plus token redirection risk via BOTSHOT_API_URL override.