ship

SUSPICIOUS: the skill's capabilities broadly match its stated release-automation purpose, and there is no evident credential harvesting or third-party interception. However, it grants an AI agent high-impact autonomous publishing powers—push, merge, and release—using Bash and GitHub CLI without explicit per-action approval, making it high operational risk even though it is not malware.