review-pr

SUSPICIOUS: the core GitHub review behavior is coherent and mostly proportionate, but the skill is not truly read-only because it mutates PR state, and it expands scope by reading a local `.env` token and forwarding report data to a separate localhost service. No clear malware or hostile third-party installer is present, but the combination of credential-file access, side-effecting actions, and untrusted PR content processing makes this a medium-risk skill.