handle-pr-feedback

SUSPICIOUS: The skill's capabilities mostly match its stated GitHub PR workflow and its network path appears to stay within official GitHub tooling, so install/data-flow trust is relatively coherent. However, it gives an AI agent high-impact autonomous abilities to interpret untrusted PR comments, modify code, push commits, and post responses without explicit per-action confirmation, making it risky despite not looking malicious.