refactor-skill

SUSPICIOUS. The skill’s file access and rewrite behavior fit its stated refactoring purpose, but it relies on executing an unpinned external package (`uvx skilllint@latest`) whose official provenance was not verified from the evidence, and it chains trust by loading another skill. This is not fundamentally incompatible with the skill’s purpose, but install trust is weaker than it should be.