project-setup

SUSPICIOUS: the skill’s main purpose is coherent with project scaffolding, but it expands into host-level agent/devcontainer management and explicitly installs another skill, creating a transitive trust risk. No clear credential theft or exfiltration is present, so this is not malicious, but the permission and supply-chain footprint is broader than a minimal setup guide.