setup-github

Suspicious but not malicious. The core behavior matches GitHub setup, and data flows mostly target official services, but the skill relies on third-party skill installation and enables an automated PR review/merge pipeline with meaningful repo impact. Medium risk from transitive trust and autonomous merge behavior, not clear credential theft.