sop-product-launch

SUSPICIOUS. As a planning SOP, the skill is broader than necessary and blurs into operational execution with real-world consequences: deployment, app-store submission, marketing sends, paid ads, social posting, and PR outreach. The only explicit external component is a third-party MCP server (ruv-swarm); evidence suggests it is a real package/repo, but it is not same-org official to the skill host, and the skill gives no trust, install, or approval constraints. No direct credential theft, exfiltration endpoint, or malicious payload is shown, so this is not confirmed malware. Risk comes from disproportionate scope, autonomous action potential, and external tool trust.