Agent Marketplace

The bundle implements a functional 'Agent Marketplace' for discovering and installing skills, which involves high-risk capabilities such as downloading remote code and performing local file operations. Specifically, `src/installer.js` contains logic to download packages from remote URLs and write code directly to the filesystem, while `src/registry.js` communicates with an external registry (clawhub.com). Although these behaviors are aligned with the stated purpose of a package manager and include some basic sanitization (e.g., regex-based filename filtering in the registry cache), the inherent risk of remote code execution and arbitrary file persistence without robust signature verification qualifies the bundle as suspicious under the provided criteria.