skill-auditor

This skill-auditor is functionally coherent with its stated purpose (auditing SKILL.md bundles and managing a central skills repo). It does not contain clear malicious code (no remote downloads, no credential harvesting code, no obfuscated payloads). However it carries moderate supply-chain and operational risks: (1) it scans the user's entire home directory and prints discovered skill paths (information exposure), (2) it uses rm -rf to remove source directories during migration (destructive if misused), and (3) it mandates an external 'skillshare sync' command whose behavior/endpoints are unspecified (potential third-party exfiltration risk). Treat this tool as operationally powerful and require review and safeguards before running: validate SKILLS_REPO and SOURCE_PROJECT inputs, avoid running in automated/privileged contexts without review, and inspect or control the implementation and endpoints of 'skillshare' before running the mandated final sync.