to-prd

SUSPICIOUS: The main PRD-generation behavior aligns with the stated purpose, but the undocumented `/setup-leandrocfe-skills` command creates install-trust uncertainty, and the skill performs autonomous external publication to the issue tracker. No clear evidence of malware or credential theft is present, but supply-chain and workflow-write risks make it higher than benign.