repo-bug-audit

SUSPICIOUS: the skill is internally coherent for repo auditing, but it grants an AI agent high-risk security review capabilities and processes untrusted repository content with exec/write access. Core install/data flow is mostly local and proportionate, with the main extra concern being optional transitive skill installation via npx skills.

Cannot perform security triage without actual code. Please provide the code fragment or repository context to proceed with a structured assessment of inputs, data flows, and potential vulnerabilities.

The fragment represents benign packaging and governance guidance for a bug-audit submission workflow. No executable code or data processing is present, and there are no indicators of supply-chain malware or data leakage within this document fragment.