product-changelog

SUSPICIOUS: the skill's high-level purpose is coherent, but it expands into external CLI use, remote app execution, browser fetching, and installation of other skills. The main concerns are supply-chain trust for `infsh`, credential/session forwarding to external tooling, and transitive skill installation rather than confirmed malicious behavior.