squad-kickstart

SUSPICIOUS: the skill’s project-orchestration behavior is mostly coherent with its stated purpose, and it avoids remote installers, but it forwards locally resolved auth to an unresolved BASE_URL and depends on unseen shared/downstream skills. The main risk is unverified endpoint ownership plus transitive trust, not confirmed malware.