code-sync

SUSPICIOUS: the core git sync behavior fits the stated purpose, but the skill expands trust by requiring an unreviewed third-party `git-workflow` skill and performs automatic batch push/pull actions across all repos without per-repo confirmation. The main concern is transitive skill installation and broad autonomous repository modification, not overt credential theft or hidden exfiltration.