php-cmd-audit

SUSPICIOUS. The skill is internally aligned with PHP command-injection auditing and shows no direct exfiltration or credential-harvesting behavior, but it grants an AI agent offensive security analysis capability and relies on an unverified companion tracer/tool, which raises trust and transitive-risk concerns.