workspace-setup

SUSPICIOUS: The skill's purpose is legitimate and the main tools are standard, but it grants the agent authority to execute arbitrary shell commands extracted from WORKSPACE.md and repo-controlled npm scripts. That is proportionate to setup automation yet materially risky because trust is delegated to unvalidated local content and third-party dependency scripts.