dry-consolidation

This skill is coherently aligned with its stated purpose: scanning a codebase for duplicated code and extracting shared abstractions. It requires filesystem read/write and the ability to run local build/test tooling, which is reasonable for the task. The main risks are operational: the broad allowed shell command capabilities and edit permissions can be abused to run arbitrary project scripts or make large-scale changes without human review, and running package managers introduces standard supply-chain risks (pulling remote packages). I find no evidence of embedded malicious code, hardcoded credentials, remote downloads in the skill itself, or obfuscation. Recommended mitigations: run in a sandboxed environment, require explicit user confirmation before any non-dry-run edits, limit runtime to a review-and-apply workflow, and avoid scanning paths containing secrets.