post-merge

SUSPICIOUS. The overall footprint mostly matches a post-merge deployment skill, and the documented third-party CLIs are legitimate and purpose-aligned. However, the skill reads a raw local secret from `.env`, sources an unseen local `dispatch.sh`, and can execute real deploy commands autonomously, making it medium-high risk even without clear evidence of malicious exfiltration.