verify-releases

SUSPICIOUS: The skill’s behavior is mostly aligned with its release-validation purpose and its data flows target expected Microsoft/.NET endpoints, but it relies on installing an authenticated third-party CLI from a personal GitHub Packages namespace and instructs storing the GitHub token in clear text. This is more a supply-chain and credential-handling concern than evidence of malicious intent.