babysit-pr

SUSPICIOUS: the core GitHub/CI capabilities align with PR babysitting, and the main tooling is official. Risk comes from third-party data flows (public QR API, optional Diawi), autonomous merge capability, and the missing `monitor.sh` implementation. This looks like a legitimate but medium-risk automation skill rather than malware.