addness

SUSPICIOUS: The stated purpose is coherent with project/goal tracking, and there is no clear malicious payload in the skill text. However, the skill’s core functionality depends on opaque external CLIs with no install provenance or release verification in the skill, and those binaries are entrusted with reading and writing remote goal data. Broad pass-through commands and unenforced org-write restrictions further increase risk. Main concern is supply-chain and opaque data/credential handling, not confirmed malware.