create-pr

Based on the provided SKILL.md and file manifest, the package is an automation tool that legitimately needs access to repository data and platform tokens. There is no direct evidence in the provided fragment of obfuscation, hardcoded secrets, or explicit malicious network destinations. However, the tool’s capabilities (automatic commit/push, DCO sign-off, API-driven Issue/PR creation) and multiple credential sources create a real risk surface: if the implementation is careless or malicious it could exfiltrate repository contents or tokens or modify provenance. I recommend a code review of scripts/repo_api.py and scripts/full_auto_pr.py before use, specifically verifying direct API endpoints, TLS validation, minimal token scope guidance, explicit interactive confirmations for commits/pushes, no logging of tokens or diffs, and secure handling/storage of any token files.