ghpm-work

Overall, the ghpm-work skill appears benign and proportionate to its stated purpose. It leverages standard development tooling (gh CLI, git), maintains explicit per-phase session state, and interacts with GitHub through authenticated API calls as part of a documented workflow. No evident credential harvesting, unverified binaries, or covert data exfiltration patterns are observed. As with any automation that handles project data and GitHub interactions, ensure proper local access controls for session files and restrict gh API scopes to the minimum required actions.