qa

SUSPICIOUS: the core QA behavior is coherent with its stated purpose, but the skill expands its trust boundary through optional external plugins and transitive skill handoffs with incomplete provenance. Risk is driven more by dependency/credential trust and indirect content handling than by clear malicious behavior.