php-xss-audit

SUSPICIOUS: the skill is internally coherent and does not show credential theft, exfiltration, or dubious installers, but it equips an AI agent with meaningful offensive web-vulnerability auditing and PoC-generation capability. Risk is driven by dual-use security-tool behavior and an unspecified transitive dependency on php-route-tracer, not by confirmed malware.