claude-code-plugin-release

SUSPICIOUS: the skill’s core release automation purpose mostly matches its git/npm/GitHub actions, but it also authorizes autonomous public publishing and a Discord notification driven by secrets from an external local script path. Official CLIs keep supply-chain risk moderate, yet the optional `np` path forwards release credentials to third-party code and the workflow’s real-world actions warrant high operational caution.