skills-cli

SUSPICIOUS: the skill’s behavior matches its stated purpose, but that purpose is itself high-trust: it installs and manages other executable skills. The main concerns are transitive skill installation and unpinned `bunx` execution, plus installs from a personal GitHub source. This is not confirmed malware, but it poses meaningful supply-chain and delegated-trust risk.