Tmp.Qs5EOZDgAo

The zola-mcp skill (SKILL.md) manages sensitive wedding data, including guest addresses and budgets, and utilizes a browser-automation script to extract session cookies (JWTs) for authentication. While these capabilities are plausibly needed to interface with the Zola mobile API, the handling of PII and the use of 'npx' for remote execution represent high-risk behaviors under the provided criteria. No clear evidence of intentional malice or prompt injection was found, but the authentication method and broad data access are inherently risky.