pricing-finder

SUSPICIOUS. The skill's overall purpose is coherent and its optional API calls go to official services, so this is not strongly indicative of malware. However, it processes substantial untrusted web/search content while retaining command execution and file-write capability, and it relies on an unseen local script plus unpinned dependencies. Main risk is indirect prompt injection and execution scope, not credential theft or overt exfiltration.