gh-oss-go-bump

SUSPICIOUS: The skill is broadly aligned with its stated purpose, and its GitHub/Go data flows are mostly proportionate. The main risks are the unpinned third-party gh extension dependency, multi-repo write/merge capability, and moderate prompt-injection exposure from untrusted repo/web content combined with command execution. Not malicious, but medium risk.