az-cost-optimize

This skill/workflow is consistent with its stated purpose (discover Azure resources and IaC, analyze usage and costs, produce evidence-based recommendations, and create GitHub issues). I found no obfuscated code, credential-harvesting redirects, download-execute chains, or explicit malicious logic. Primary risks are operational: it requires broad Azure and GitHub credentials and produces executable Azure CLI commands that can modify resources. Another trust boundary is the unspecified MCP servers (azmcp-*), which could route data through third-party control planes — this should be verified and limited. Recommend: grant least privilege credentials, require explicit user/operator approval before any modifying az commands are executed, and validate MCP server trust and operators before use.