security-eng

SUSPICIOUS. The skill is mostly coherent as a defensive security-engineering guide, but it grants an AI agent offensive security/testing capability plus bash/git/file-write access, which raises material misuse risk. There is no clear credential harvesting or exfiltration behavior, so this is not malware; the main concerns are offensive-security scope and medium supply-chain risk from outdated, mutable GitHub Action examples.