sync-provider

SUSPICIOUS. The core GitHub sync and diff workflow is coherent with the stated purpose and uses mostly official tooling, but the mandatory Pal MCP step introduces third-party data sharing of repository context and full file paths, and the workflow processes untrusted upstream diffs while retaining code-write/exec powers. This is not confirmed malicious, but it carries medium risk from external data flow and indirect prompt-injection exposure.