maestro-link-coordinate

SUSPICIOUS. The skill’s stated purpose fits a graph-coordination wrapper, but its trust boundary is weak: it delegates execution to an externally hosted/server-backed `maestro` CLI with unclear public command provenance, and auto mode permits unattended real actions by that external workflow. No direct credential theft or explicit exfiltration is shown, but the unverifiable operational footprint is broader than the documentation justifies.