github-sync-helper

SUSPICIOUS: The skill’s capabilities broadly fit a Git/GitHub automation helper and data flows target official GitHub endpoints, so it is not fundamentally incompatible with its stated purpose. However, it enables destructive repo actions and autonomous GitHub-side operations, requires a token passed into an unseen local script, and has a small consistency gap because examples depend on gh despite not declaring it. Risk is medium due to hidden script trust and high-impact actions, not clear malware indicators.