bridge-plugin

SUSPICIOUS: The skill’s core behavior is mostly aligned with its stated purpose as a local plugin bridge, and no credential theft or exfiltration is evident. The main concern is install trust: it recommends transitive installation from a personal GitHub repo via the official Skills CLI, plus a questionable `pip:yaml` dependency name, which makes the supply chain less verifiable than expected.