github-multi-repo

SUSPICIOUS: The skill’s core capabilities mostly match its stated multi-repo GitHub coordination purpose, and much of the GitHub CLI usage is legitimate. Risk comes from broad autonomous write actions across repositories, mutable `npx` execution, an unverified `gh-cli` dependency name, and an example that routes events/secrets to a third-party webhook endpoint. This looks like a high-impact automation skill with notable security risk, not confirmed malware.