swain-init

SUSPICIOUS: the core onboarding behavior is mostly coherent and locally scoped, but risk is elevated by supply-chain exposure (official `curl|sh`, transitive pre-commit hook repos) and especially by installing a separate third-party skill via `npx skills add obra/superpowers`. No clear credential theft or exfiltration is present, so this is not malicious, but it is a medium-risk onboarding skill.