extension-publish

SUSPICIOUS. The skill’s purpose is coherent, and its credentials match Chrome Web Store publishing, but it relies on a non-Google third-party CLI installed from npm and forwards live OAuth secrets/tokens into that tool. This is proportionate in function yet trust-heavy in execution, making it medium/high security risk rather than confirmed malicious.