colosseum-copilot

SUSPICIOUS: core Colosseum API use is coherent and mostly benign, but the skill stores the user's PAT locally and includes a configurable telemetry exfiltration path via convexUrl with consent sequencing that is internally inconsistent. Not confirmed malware, but it has meaningful privacy and credential-handling risk.