spec-forge-implement

SUSPICIOUS: the workflow behavior is coherent for an implementation-stage skill and there is no clear credential theft or exfiltration, but trust in the required `spec-forge-cli` is not well established from the skill text or public evidence. Main risk is unverifiable external CLI provenance, not malicious behavior in the skill itself.