gaud-mode

This wrapper is primarily a supply-chain updater. It can fetch and install remote code via `npx` and/or `git clone/pull`, then mirrors the result into the local skill directory using `rsync --delete` and may execute a post-upgrade hook (`$SKILL_DIR/bin/gaud-poll-install`) from the updated tree. The wrapper shows no obvious credential theft or direct data exfiltration, but it lacks integrity controls (no commit pinning/signature/checksum verification) for fetched artifacts and executes code originating from the remote content, which materially increases supply-chain risk if the upstream repository or npm-based tooling is compromised.

SUSPICIOUS: the stated purpose matches tmux-based orchestration, but the skill's footprint is broader than a simple coordinator. The biggest concerns are transitive skill installation via npx and reconciliation of a compiled gaud-poll binary whose provenance is not demonstrated in the provided content. The automation scope is powerful and plausible for the purpose, but install trust and inherited-skill trust remain the main risks.