devex-review

SUSPICIOUS: the core DX-audit behavior is legitimate and install provenance is mostly coherent with official gstack/Bun sources, but the skill’s real footprint is much broader than its stated purpose. Telemetry/brain sync, autonomous config changes, CLAUDE.md injection, and repo commits make it over-scoped for a review skill, creating medium-high risk even without clear malicious intent.