make-it-pretty

Functionally benign for its stated purpose (automated formatting and light refactoring) but carries moderate supply-chain and execution risk: unpinned runtime installs via npx, shell-based execution that modifies repository state (git stash), and fallback behaviors that expand file-scope. No direct signs of credential theft, network exfiltration, obfuscation, or embedded backdoors in the provided fragment. Recommend hardening: require explicit confirmations, pin formatter versions or use preinstalled binaries, default to dry-run/check modes, and restrict scope to explicit files.