spec-forge-journeys

SUSPICIOUS. The workflow is purpose-aligned and mostly local, with no clear exfiltration or credential abuse, but it requires a non-publicly verifiable `spec-forge-cli` executable. That black-box dependency is disproportionate from a trust perspective and raises high supply-chain risk despite otherwise coherent behavior.