update-readme

SUSPICIOUS: The skill’s core behavior matches README maintenance, but it expands its trust boundary through multiple transitive skill/agent calls and mixes untrusted web content with write and bash capabilities. No clear credential theft or malicious exfiltration is present, so this is not malware, but the transitive trust chain and prompt-injection exposure make it a medium-risk skill.