destructive-command-guard

This skill's stated purpose and described capabilities are coherent and appropriate for a destructive-command guard. No direct malicious behavior is present in the documentation: it does not request sensitive credentials, perform telemetry, or instruct runtime exfiltration. However, there are notable supply-chain and operational risks: the quick-install curl|bash pattern and installing from a personal GitHub repo increase the chance of a compromised installer; the documented DCG_BYPASS environment variable is a high-value escape hatch that could be abused. The hook's limitation (it does not inspect commands inside scripts) is an evasion vector. Recommend treating this as a moderately risky component: require review of the installer script, prefer pinned/git-tagged cargo installs or signed prebuilt binaries, and avoid persistent DCG_BYPASS usage. Verify the GitHub repository and install scripts before use.