npm-package

SUSPICIOUS: the core package-template guidance is coherent and largely benign, but the skill includes two disproportionate agent-specific risks: transitive installation of another skill via the `skills` CLI and runtime fetching of mutable remote README content that can steer agent behavior. No evidence of credential theft or overt malware, but the trust boundary is broader than a simple npm package template needs.