wp-trac-timeline

The skill metadata itself is reasonable for its purpose but grants a powerful sink: executing a local PHP script with user-derived arguments. Without the timeline.php source, there is meaningful risk of credential exposure, data exfiltration, or arbitrary command execution. Treat this package as a medium security risk until timeline.php is reviewed and validated. If the script is verified to be well-behaved (restricted network targets, safe auth, no arbitrary filesystem access), the risk is acceptable for the stated function.