groom-milestone

SUSPICIOUS: the skill’s project-management purpose mostly matches its capabilities, but it expands scope by spawning parallel non-interactive Claude subprocesses and depends on an unverified custom backlog/dispatch MCP server for state writes. No strong evidence of credential theft or malware is present, but the combination of autonomous backlog mutation, local command execution, and unverifiable MCP ownership makes it medium risk rather than benign.