simplify-and-harden

SUSPICIOUS: the skill’s stated purpose is coherent and its code-review behavior is proportionate, but it introduces medium risk through third-party skill installation and explicit cross-skill chaining to `self-improvement`. There is no clear credential theft or exfiltration, so this is not malware, but the transitive trust model and remote install pattern make it riskier than a purely local review skill.