check

SUSPICIOUS: the skill’s capabilities mostly match its stated maintainer/review purpose and use official GitHub/Vercel tooling, so this is not confirmed malware. Risk is medium because it combines code execution with autonomous maintainer actions on GitHub and processes untrusted PR/issue content, creating meaningful prompt-injection and real-world action exposure.