find-skills

SUSPICIOUS. The capability fits a skill-discovery purpose, but the trust chain is not coherent with the official ecosystem: it replaces the official Vercel skills CLI with a personal-repo mcphub installer delivered via curl|sh, then encourages transitive installation of arbitrary third-party skills. No direct credential theft is shown, but the supply-chain and inherited-permissions risks are high.