red-team

SUSPICIOUS. The stated purpose matches the core behavior: it evaluates docs/skills by spawning restricted agents and writing local reports. There is no obvious credential harvesting, exfiltration endpoint, or unrelated capability in this skill itself. Risk comes from proportionality and transitive execution: it launches parallel sub-agents, reads arbitrary local project content, and invokes another skill for consolidation, creating indirect prompt-injection and trust-chain exposure if the reviewed artifacts contain malicious instructions or if the council dependency is compromised. Install trust is moderate rather than high concern based on the evidence: the referenced council runtime appears to be a real same-publisher PyPI package with normal package distribution, not an unverifiable binary or curl|bash installer. Overall this is coherent but still medium-risk due to multi-agent execution and transitive skill dependence.