sync

SUSPICIOUS: the behavior matches the stated purpose, but that purpose is inherently high-trust and broad. It uses official documented tooling, so this is not confirmed malware, yet it installs arbitrary remote skills from an unpinned git URL and does so in bulk with `--all -y`, creating significant supply-chain and transitive-trust risk.