review-demos

SUSPICIOUS: the core review workflow matches the stated purpose, but the skill is over-privileged and high-impact. It reads local secret files, sends some review inputs to a third-party API, and can autonomously write to CRM and Supabase based on untrusted web content. No malware-like payloads or suspicious installers are present, but the data handling and action scope are broader than necessary for QA review.