buddy-sings

SUSPICIOUS. The core singing workflow is plausible, but the skill is over-broad for its purpose: it scans local memory and git history, forwards personalized context to an external service, and depends on another skill plus an only partially verified CLI. This looks more privacy- and trust-risky than overtly malicious.