worktree-setup

SUSPICIOUS: The skill is broadly aligned with worktree setup, but its preferred path depends on an unrelated third-party global CLI installed unpinned from npm, and it copies secret-bearing `.env` files while also allowing project-defined post-create commands to run. No clear exfiltration or overtly malicious behavior is shown, but the install trust and local-impact footprint are higher than ideal for a setup helper.