qa-only

SUSPICIOUS. The core QA browser-testing behavior is coherent, and the Bun installer evidence is consistent with official distribution. But the skill is wrapped in a much broader gstack runtime that can edit project files, commit changes, maintain analytics, and optionally sync artifacts/telemetry, which is disproportionate to a narrowly scoped report-only QA skill. This looks more like an overprivileged framework skill than confirmed malware.