code-pipelines

The skill is broadly coherent with its stated purpose of building durable GTM automation pipelines using Trigger.dev and the Personize SDK, providing scaffolding, templates, and end-to-end lifecycle guidance. However, there are notable security concerns: sensitive credentials (PERSONIZE_SECRET_KEY, TRIGGER_SECRET_KEY) are required in environment configuration without explicit rotation/least-privilege controls; data flows traverse multiple external services which increases potential data exposure; dependency provenance and runtime governance enforcement are not fully specified. The combination of sensitive credentials, multi-service integrations, and potential logging of memory/tool results requires stronger credential management, explicit data-flow scoping, and verifiable dependency security before this skill can be considered low-risk. Overall, the skill is credible for its purpose but is currently SECURITY-REVIEW-SUSPICIOUS given the credential handling and data-flow surface without stronger safeguards.