br

SUSPICIOUS. The skill’s core capabilities are broadly aligned with a local issue tracker, and I found no strong signs of credential harvesting or third-party exfiltration. The main concerns are operational scope: it instructs autonomous git commit/push workflows and references same-org but still risky raw GitHub installer/update patterns, making it higher risk than a read-only project-management skill.