init-project

SUSPICIOUS: the stated purpose is coherent, but the skill’s core dependency is an unverifiable `foyer` CLI with no publicly confirmed publisher, install source, or release integrity evidence. The instructions are otherwise scoped and include confirmation gates, so this is not confirmed malware, but it is high supply-chain risk.