github-trending

SUSPICIOUS: the skill’s purpose and data flow are coherent for fetching GitHub Trending, and it does not request credentials or access sensitive files. The main concern is supply-chain trust: it tells the agent to auto-install and execute a third-party npm CLI from a personal publisher via `npx --yes`, which is broader trust than necessary for a simple public-data lookup.