sync-template

The skill's stated purpose (syncing a downstream project with a template via discovery, package updates, diffing, planning, and execution) is broadly coherent with the described steps. The footprint is proportionate for a developer tooling workflow but introduces notable supply-chain and transitive-trust risk due to reliance on unverifiable binaries and loading of an external skill. Data flows are mostly internal to the developer environment, with no explicit credential exfiltration, which keeps the risk at a moderate level. The presence of download/executable steps (opensrc opensrc:use and external skill delegation) warrants treating this as SUSPICIOUS to HIGH risk in strict security postures until provenance and verification mechanisms (signatures, checksums, pinned versions, and lockfiles) are demonstrated. Overall securityRisk should be considered MEDIUM-HIGH (0.55–0.65) with malware near zero unless further evidence of malicious intent is found.