php-injection-audit

The skill is internally consistent and does not show malware-like behavior, credential theft, exfiltration, or suspicious installers. Its main risk is that it equips an AI agent with structured offensive vulnerability-auditing capability and depends on another skill for evidence, so it is best classified as suspicious/high-risk security tooling rather than malicious.