workflow-dotfiles-sync

SUSPICIOUS: the overall workflow is purpose-aligned for dotfiles management, and its file access and git/chezmoi usage mostly fit that purpose. The main concern is install/execution trust: it relies on an unspecified local `dotfiles` control-plane binary with no documented provenance, versioning, or verification, while granting Bash and write access and allowing outbound git pushes. This is not confirmed malware, but the undocumented helper makes the skill higher risk than a standard chezmoi workflow.