coregit

SUSPICIOUS. The core repo-management and API flows are broadly aligned with the stated purpose and point to first-party Coregit domains, but the skill relies on an unpinned runtime `npx` installer (`coregit-wizard@latest`), claims to install another skill, stores credentials opaquely, and exposes remote command execution. Without external evidence tying the wizard package to the same publisher and documenting that install path as official, the install-trust and transitive-trust risks are disproportionate enough to warrant suspicion rather than benign classification.