qa-orchestrator

SUSPICIOUS: mostly coherent QA orchestration, but it has a broad footprint: reads .env.qa secrets, forwards them to spawned agents, can autonomously create GitHub issues, and can transitively invoke qa-bug-fixer. No clear malicious exfiltration is shown, yet the unspecified install script and optional third-party Forge installer keep trust and data-flow risk at medium.