isms-audit-expert

SUSPICIOUS due to install-trust and transitive-skill risks, not because of confirmed malicious behavior. The publisher relationship appears coherent, but the documented use of mutable GitHub installer scripts and third-party npx skill-install CLIs creates medium supply-chain risk; without the actual SKILL.md, purpose-capability alignment and credential scope cannot be fully validated.