performance

SUSPICIOUS: the skill is mostly benign performance documentation, but it includes unnecessary transitive instructions to install another skill from an external GitHub repo via an `npx`-based workflow. No direct credential theft or exfiltration is shown, so this is not malicious; the main issue is supply-chain and inherited-permissions risk disproportionate to a reference guide.