prepare-wordpress

SUSPICIOUS. The main WordPress scaffolding behavior is coherent and mostly uses normal developer tooling, but the skill also performs transitive installation of multiple agent skills from unpinned GitHub sources, including a personal third-party repository and an archived/migrated repo reference. That extra trust chain is disproportionate to simple project setup and is the main risk driver, though there is no strong evidence of credential theft or overtly malicious behavior.