template-initialization

SUSPICIOUS: the core template bootstrap behavior is coherent, but the skill overreaches by adding external skill discovery and automatic Copilot tool installation. The main risk is supply-chain and transitive trust expansion, especially the third-party `specify-extend` package and non-official command path; this is not confirmed malware but is higher-risk than a normal local project initializer.