pr-review

SUSPICIOUS. The skill’s review/comment/merge behavior is mostly aligned with its stated purpose, and GitHub data flows appear direct to official endpoints. Risk is elevated because it autonomously performs impactful actions, processes untrusted PR content while executing local commands, and delegates core behavior to an only weakly verifiable `kspec` workflow.