charge-pix

SUSPICIOUS. The skill’s purpose and official Kobana API/MCP data flows are mostly coherent, and the same-org kobana-mcp-charge package looks legitimate. However, the hosted MCP path materially increases risk by using unpinned third-party mcp-remote and forwarding the bearer token through it, plus the docs encourage plaintext token storage in config files.