sync-skills

SUSPICIOUS: the skill’s stated purpose matches its filesystem-copy behavior, but it is designed to propagate arbitrary third-party skills from unpinned GitHub repos or a third-party marketplace into agent skill directories. The biggest concern is transitive trust and indirect prompt-injection risk, not credential theft or confirmed malware.