scaffold-project

SUSPICIOUS: The skill’s scaffolding behavior is plausible for its stated purpose, but its trust model is incomplete. It relies on an unverified `gcx` CLI and a separate install skill, then instructs the agent to store and use a Grafana token through that CLI. The main concern is unresolved provenance and credential forwarding, not confirmed malicious behavior in this skill text alone.