oss-bounty-finder

SUSPICIOUS. The skill’s purpose and capabilities mostly align, and the TinyFish install path appears official, so this is not confirmed malware. However, it delegates broad web automation and extracted-content handling to a third-party CLI/service, forwards an API key to that service, and processes substantial untrusted external content, creating meaningful privacy, supply-chain, and prompt-injection risk.