qe-pair-programming

This skill is documentation/configuration for an AI-assisted pair-programming CLI. I found no code in the provided content that directly performs network calls to suspicious domains, no embedded or obfuscated malicious payload, and no direct instructions to download and execute remote binaries. The primary risks are supply-chain (installing an unpinned alpha CLI from npm), credential exposure via session exports or careless Git pushes, and automation features that can modify/publish repository contents if misconfigured. These risks are consistent with legitimate tooling but require cautious use: verify the claude-flow package provenance, avoid enabling unattended auto-push or auto-commit settings, and ensure session recordings/exports do not contain secrets before sharing. Overall there is low likelihood of direct malware in this document, but moderate operational security risk if the installed CLI or user configuration is abused.