finalize

SUSPICIOUS: the stated purpose is coherent for a UI audit skill, and it avoids code edits, credential requests, and explicit exfiltration. However, it executes an unpinned `npx` CLI that is not verified as an official publisher-controlled tool and also chains into another skill, making the trust boundary larger than the visible instructions suggest.