awesome-skills-deepdive

SUSPICIOUS: the core audit purpose is plausible, and network endpoints are mostly official, but the skill grants broad write/push powers, performs autonomous public publication, and processes large amounts of untrusted external skill content with subagents that can write files. The main risk is not malware-like exfiltration; it is unsafe autonomy plus prompt-injection exposure in a repo-syncing workflow.