stash-forge

The skill is broadly coherent with its stated dev-time purpose (managing CipherStash EQL setup, schemas, and integrations). It correctly emphasizes development-time tooling, multiple install paths (bundled vs. latest), and different integration contexts (Drizzle, Supabase, plain PostgreSQL). However, there are security-relevant concerns: it allows fetching SQL from GitHub (supply-chain risk), requires high database privileges for EQL installation, and can grant broad roles in Supabase contexts. These risks are acceptable in a development tool but should be clearly mitigated (pin versions, verify checksums, limit permissions, audit logs). Overall, the footprint is suspiciously high-risk for a generic helper but proportionate to its purpose as a database-dev-time tool; with proper controls, it remains Benign-to-Suspicious rather than Malicious.