nopeek

SUSPICIOUS. The purpose is plausible, but the skill’s core design undermines its claim: users must pass secrets into an unverified, unpinned external CLI fetched via `pnpx`. Automatic Claude Code hooks further increase blast radius. This is not confirmed malware, but it is a high-risk supply-chain and credential-forwarding skill.