create-pipeline

SUSPICIOUS: the skill's capabilities are largely aligned with its stated CI/CD purpose, but its trust model is weaker than ideal because it relies on a credentialed MCP runtime whose V2 provenance is somewhat ambiguous in the official docs. Risk is driven more by supply-chain and credential-forwarding concerns than by malicious behavior in the skill itself.