gha-security-review

SUSPICIOUS: The skill is coherent as a GitHub Actions security-audit playbook and shows no install-chain, credential-harvesting, or exfiltration behavior. However, it equips an AI agent with offensive workflow-exploitation review techniques and instructs analysis of untrusted repository content, creating meaningful security risk despite otherwise proportionate scope.