scout-manual-workflow

SUSPICIOUS. The skill’s overall purpose is coherent for a bug-tracker workflow, but its data-flow model is risky: it sources secrets from local .env files and sends the Scout API key to a fully user-configured SCOUT_URL rather than a pinned official endpoint. The external actions are proportionate to the stated purpose, yet the unrestricted endpoint and raw credential handling make this a medium/high security-risk skill rather than a clearly benign one.