session-start-hook

SUSPICIOUS: the core purpose of setting up a startup hook is coherent, but the skill goes beyond that by instructing transitive installation of another skill repo and autonomous commit/push actions. Main risk is expanded trust scope and downstream skill loading rather than direct malware or credential theft.