community-project-publish

SUSPICIOUS: The skill is broadly coherent with its purpose, but it centralizes project publish/fork traffic through a Starchild gateway using an internal key and imports third-party community code into the workspace. The main risks are intermediary trust, untrusted project ingestion, and possible downstream execution of forked code; there is no strong evidence of outright credential theft or overt malware.