git-commit-formatter

SUSPICIOUS. The declared purpose is narrow and benign, but the mandatory execution of an undisclosed `setup.sh` is not justified by the visible skill content. With no script contents, credentials, or network destinations shown, this is not confirmed malicious, but it has medium supply-chain risk and poor install transparency.

This module is extremely suspicious and consistent with malware/backdoor behavior: it dynamically executes an embedded hidden payload (likely including remote curl|bash staging) and then harvests sensitive secrets by writing an API key to disk and printing AWS credentials. It should be treated as malicious and not used.