comfy-tools-setup

SUSPICIOUS: the skill’s purpose and capabilities mostly align, but it installs executable tooling directly from an unpinned GitHub repository and includes transitive skill installation guidance. No credential harvesting or off-purpose data flows are evident, so this looks more like moderate supply-chain risk than malware.