constructive-boilerplate-pgpm-init

This skill documentation accurately describes a scaffolding tool that clones template repositories and writes project files to disk. The main security concern is a supply-chain risk: cloning arbitrary remote templates (and caching them) can result in attacker-controlled files being placed into a user's project and later executed via package lifecycle or CI steps. There is no explicit evidence of active credential harvesting or obfuscated malicious code inside the provided text, but the ability to use untrusted repos and branches without integrity checks makes this skill moderately risky for CI or automated environments. Recommend restricting templates to trusted sources, pinning to exact commits/tags, adding signature or checksum verification, and warning users/CI to avoid automatically running installs or CI steps on freshly scaffolded code from untrusted templates.