peer-review

SUSPICIOUS: The skill’s purpose is coherent, but its trust boundary is underspecified. It is a documentation/workflow skill rather than malware, yet it normalizes sending repository contents to an arbitrary external MCP reviewer and forwarding an API key to an unspecified CLI. Risk is moderate because the data flows and credential routing depend entirely on the user-selected reviewer backend, which the skill does not constrain or verify.