agent-v3-integration-architect

The skill content is largely a migration/integration plan and documentation, but it includes multiple supply-chain and operationally risky patterns. Highest concerns stem from the usage of npx agentic-flow@alpha in pre/post hooks (download-and-execute of an unpinned package) and forwarding runtime task content to that package's 'memory store-pattern' command — both create clear avenues for data exfiltration or arbitrary remote code execution. The migration code also contains destructive file-deletion operations that could irreversibly remove source code if run without safeguards. Overall this SKILL.md is not overtly malicious in intent, but it is SUSPICIOUS from a supply-chain and operational-safety perspective: it delegates sensitive actions to third-party alpha packages and automates destructive filesystem changes. Recommend treating the npx invocations as high-risk (require explicit human review, pin packages, add integrity checks), avoid passing raw runtime variables to external CLIs, add confirmation/backups before deletions, and reduce the skill's permissions and autonomous destructive actions.