init-project

SUSPICIOUS: the core project-bootstrap behavior is coherent with the stated purpose, but the skill materially expands its footprint by installing and invoking multiple other skills, using unpinned remote executors, and making local/git/Linear state changes. This looks more like a broad automation/orchestration skill than malware, but the transitive trust and supply-chain exposure make it medium-high risk.