gsp-scaffold

SUSPICIOUS. The skill's capabilities mostly fit its stated scaffolding purpose, and it does not seek credentials or exfiltrate data. Risk comes from executing mutable npm/npx CLIs and especially from parsing install-manifest content into shell actions, which makes repository content a command source; this is proportionate enough to avoid a malicious verdict but not low-risk.