sync-global-rules

The skill’s stated purpose matches its capabilities, and its only declared external service is GitHub via the official gh CLI. The main risk is supply-chain and persistence: it imports mutable content from a personal repository directly into global AI-agent rule files for two tools, giving upstream text durable influence over future agent behavior. This is better classified as suspicious/high-vulnerability potential rather than confirmed malware.