fix-security-issue

SUSPICIOUS: the skill’s purpose is coherent, but its footprint is high-impact. It reads untrusted GitHub comments, can execute repo-defined tasks, and autonomously pushes code and opens PRs. Data flow stays mostly within official GitHub tooling, so this is not confirmed malicious, but it is a medium-high risk automation skill.