scaffold-project

SUSPICIOUS: the Solana scaffolding purpose broadly matches the repo/tooling actions, but the trust model is stretched by arbitrary telemetry routing through a config-supplied URL and especially by installing other skills from URLs. Core Solana/Anchor commands look legitimate, yet the transitive skill install and mutable supply-chain steps make this higher-risk than a normal framework guide.