qclaw-env

SUSPICIOUS. The skill’s capabilities largely match its environment-installation purpose, but its trust model is too broad: it mandates remote installer execution and includes non-first-party mirror scripts for core package managers. No clear credential theft or exfiltration is present, so this is not confirmed malware, but it is a high supply-chain risk skill.