sync-dotfiles

SUSPICIOUS: the core local dotfile sync behavior fits the stated purpose, but the skill has two notable risks: an unverifiable fallback clone of `camacho/ai-env` from GitHub and a `skills-push` feature that installs additional skills transitively. No clear credential harvesting or exfiltration is shown, so this is not confirmed malware, but it carries meaningful supply-chain and agent-trust risk.