workflow-migration

SUSPICIOUS. The skill’s overall purpose is coherent and the external VM0 tooling appears official, but it is over-privileged for a migration helper because it reads raw local credentials, reproduces them into plaintext .env files, and forwards them into VM0 workflows. The GitHub-based VM0 skill references are same-org and documented, so this is not confirmed malware, but the credential handling and transitive remote-skill loading make it a medium-high risk skill.