cbi-repo

The skill’s actions are broadly consistent with its stated purpose: repository/project/portfolio management through a vendor-specific CLI. I found no clear exfiltration endpoint, covert behavior, or purpose mismatch. However, the core dependency is an external `cbi` CLI whose public installation source, release history, and verification trail are not established by the evidence provided. Because the skill requires this unverifiable CLI and relies on authenticated login/session handling, its overall risk is high under the mandated scoring rules, even without evidence of confirmed malicious intent.