project-audit

SUSPICIOUS. The stated purpose is coherent for a code-audit skill, and the described file access/write behavior is mostly proportionate. However, the core execution dependency is inconsistent: the skill references vibeco audit, while the nearest verifiable public tool is vibecop with different documented commands. That mismatch weakens install trust and makes the actual runtime footprint unverifiable. No clear credential harvesting or exfiltration is shown, so this is not confirmed malware, but it carries medium risk due to the unresolved supply-chain ambiguity and agent security-scanning capability.