styleguide

This skill's stated purpose (generate a CSS style guide and update project files) is plausible, but several elements are high risk and disproportionate for that purpose. The most critical issue is the explicit instruction to retrieve a GitHub auth token via `gh auth token --user GGPrompts`, write it in plaintext into ~/.git-credentials, and then push to origin — a direct credential exfiltration and persistence pattern. Additionally, the skill empowers autonomous subagents to read and modify repository files and push changes without per-action confirmation, increasing the risk of accidental or malicious content being added to the repo. Overall this skill should not be trusted or run as-is: remove automated token retrieval and plaintext credential storage, require explicit user-provided short-lived tokens or an interactive push step, and enforce per-action confirmations for commits/pushes. Until those mitigations are in place, treat the skill as high risk for credential theft and unauthorized repository modification.