sync-dotfiles

SUSPICIOUS: local config sync is plausible, but the remote GitHub clone fallback is unverifiable from the evidence and `skills-push` adds transitive `npx`-based skill installation beyond the core purpose. No direct credential theft is shown, but install/execution trust is too weak for a purely benign rating.