questlog

SUSPICIOUS: the skill's core purpose is coherent, but it relies on a not-clearly-verifiable npm CLI, reads persisted auth config, uploads local files to a remote server, and performs transitive MCP/skill installation via `ql install`. The data flows are plausible for a task system, yet the install trust and transitive-loading behavior raise medium risk.