fiddler-mcp-setup

SUSPICIOUS. The skill’s stated purpose matches most of its behavior and the main API flow is local and officially documented by Telerik. However, the Claude Desktop branch introduces a disproportionate trust boundary by fetching and executing third-party `mcp-remote` code from npm and forwarding the Fiddler API key to it, creating a high supply-chain and credential-forwarding risk. Non-Claude paths look broadly coherent; the Desktop bridge is the main reason this should not be classified benign.