skill-ship

SUSPICIOUS: the skill’s overall workflow fits its shipping purpose, but it makes a third-party local orchestrator script mandatory and likely sends project content through multiple external AI providers. This is not fundamentally incompatible with the stated goal, yet the unpinned GitHub-clone execution path and multi-provider data exposure create medium-high security risk.