pipeline

SUSPICIOUS: The skill's core behavior is largely aligned with its stated purpose as a build-pipeline orchestrator, so this is not confirmed malware. The main concerns are its explicit transitive installation of other skills via an unpinned `npx` path and its ability to autonomously push and auto-merge code, which create meaningful supply-chain and autonomy risk beyond a low-risk documentation skill.