publish-skill

SUSPICIOUS: the workflow is broadly aligned with publishing skills, but it includes a transitive remote install step via `npx skills add` that fetches and installs skill content from an external registry/CLI, plus repo push/cherry-pick actions with real impact. Because the installer appears official and documented, this is not strong evidence of malware; the main concern is supply-chain and transitive trust risk disproportionate to a simple publish helper.