work-with-pr

SUSPICIOUS: the skill’s core PR automation is coherent, but its footprint is broader than a passive workflow helper because it autonomously pushes code, loops until success, invokes other skills, and merges without explicit final user approval. Data flows mainly stay within GitHub and normal dev tooling, so this is not confirmed malware, but it is a medium-high risk automation skill.