sonarqube

SUSPICIOUS: The skill’s core behavior matches its stated SonarQube purpose and uses official SonarSource infrastructure, so it does not look malicious. However, autonomous code changes, command execution, and especially the localhost admin/admin bootstrap with token persistence to .env make its trust and secret-handling footprint higher than a simple reporting skill.