gsd-orchestrator

SUSPICIOUS: The skill is internally coherent and uses an official-looking npm install path, so it is not clearly malicious. However, it grants an AI agent broad autonomous build execution through an opaque external CLI and can forward secrets into that subprocess, making the overall security risk medium.