forge

SUSPICIOUS: the stated purpose broadly matches JIRA-driven implementation orchestration, but the footprint is elevated by dynamic skill generation/execution and by converting external ticket-derived content into actionable instructions with Bash/Write/Edit permissions. No clear malware or credential-harvesting behavior is shown, and install trust is relatively normal, but the transitive trust chain and prompt-injection surface make this a medium-high risk skill.