github-release-management

SUSPICIOUS: the skill’s capabilities largely match its stated release-management purpose, and most data flows go to official GitHub/npm paths. The main concerns are medium-to-high operational risk from autonomous publishing/deployment actions and the use of third-party `claude-flow`/`@alpha` orchestration in token-rich CI contexts, plus a minor dependency-name mismatch for GitHub MCP integration. This looks more like a high-impact, supply-chain-sensitive automation skill than confirmed malware.