codex-task-waves

SUSPICIOUS: the skill’s purpose is coherent for software-task delegation and it uses mostly official tooling, so there is no strong sign of credential theft or overt malware. Risk is elevated because it chains multiple skills, repeatedly delegates write/review actions to Codex, processes untrusted repo content, and allows autonomous push/PR operations.