oh-task

SUSPICIOUS: the workflow is purpose-aligned for repo task automation, but it grants an AI agent high-impact autonomous repository actions and mixes untrusted GitHub content with command/code execution. Main concern is operational autonomy and the unspecified trust boundary around `sg`, not clear credential theft or malware.