agentation

SUSPICIOUS: project file edits and npm install are consistent with adding a Next.js toolbar, but the skill also alters global Claude Code configuration and auto-starts an MCP server via unpinned `npx`. That expanded scope is disproportionate to a simple UI setup and introduces medium supply-chain and trust-chain risk, though there is no clear evidence of credential theft or confirmed malware.