docs-sync

Purpose and capabilities are mostly aligned for a docs-impact workflow, and install/data-flow trust looks reasonable from the cited official sources. The main risk is operational: it reviews untrusted PR content while retaining shell execution and GitHub write abilities, especially if used with pull_request_target; this makes the skill medium-to-high risk but not malicious.