new-skill

SUSPICIOUS: the skill’s main purpose is benign documentation, but it normalizes transitive skill installation and remote doc fetching. Install sources are mostly official and coherent, so this is not malicious; the primary concern is medium security risk from unpinned `npx` usage and loading arbitrary third-party skills.