web-fetch

SUSPICIOUS. The skill's capabilities broadly match its stated HTTP/API-testing purpose, so it is not fundamentally incompatible or overtly malicious. However, it expands the agent to arbitrary outbound network access, includes an unpinned `npx -y` MCP server install with some package-name inconsistency, forwards secrets to user-chosen endpoints, and shows TLS-bypass usage; these combined issues make it higher-risk than a simple documentation skill.