workspace-setup

SUSPICIOUS. The core workspace/file sync behavior is broadly aligned with the stated purpose, but the skill has two notable risk amplifiers: plaintext FileBrowser credentials and explicit transitive skill installation/sync via npx skills and remote skills directories. Because the CLI path is same-org official, this is not strong evidence of malware, but it is a medium-to-high security risk due to mutable installs and inherited trust in additional skills.