ai-kickoff

SUSPICIOUS. The main DSPy/FastAPI scaffolding behavior is benign and proportionate, with official-registry dependencies and normal provider API usage. However, the embedded instruction to install another skill from a personal GitHub repo is a meaningful transitive-trust risk that does not clearly belong in a simple project-bootstrap skill.