find-skills

SUSPICIOUS: The skill's stated purpose matches its behavior, but that purpose is inherently high-trust because it brokers discovery and installation of third-party skills. The upstream CLI appears legitimate and same-org, which lowers malware concern, but the transitive installation model, arbitrary git-source support, and unpinned `npx` execution make this a medium-to-high security risk skill rather than a benign documentation helper.