recipe-build

SUSPICIOUS: the skill is broadly consistent with an internal repo-task orchestrator, but its autonomous multi-step execution, commit authority, dependence on other skills, and ability to act on task/design content create medium risk. No clear credential theft, exfiltration, malicious installer, or incompatible capability is present, so this is not malicious; the main concerns are transitive trust and autonomous write/commit behavior.