project-initializer

SUSPICIOUS: the skill is broadly aligned with project scaffolding, but it has a sizable execution footprint: it runs helper scripts, installs third-party CLIs via npm/npx/uv, and can generate CI/deployment assets. The main concern is supply-chain and command-execution trust from unpinned external installers, not clear credential theft or exfiltration.