task

SUSPICIOUS. The core planning behavior is coherent and mostly local, but the auto mode materially expands scope by autonomously spawning downstream skills, creating transitive trust and real-world project actions beyond simple task drafting. Install trust is not overtly hostile, yet publisher/provenance is not fully clean due to repo-name mismatch. No credential harvesting or direct exfiltration is evident.