generate-changelog

SUSPICIOUS. The skill’s overall behavior matches its stated changelog/documentation purpose, but it relies on executing an unpinned external CLI (`bunx ghlog`) whose publisher relationship was not verified, and it turns untrusted external patch content into local file edits. That makes it a coherent but medium-risk maintenance skill rather than clearly malicious.