grunk

SUSPICIOUS: the skill’s purpose aligns with repo-task automation, but its footprint is high-risk because it can autonomously turn external task content into code changes, shell execution, git pushes, and task-state updates. Dependency provenance for `bd` appears coherent and same-project, so the main concern is autonomous action and trust chaining, not obvious malware or credential theft.