gh-issues

SUSPICIOUS: the skill’s GitHub automation purpose is broadly coherent and its network/data flows stay on official GitHub endpoints, but it is high-risk because it reads raw tokens from local files, forwards them into git remote URLs, and enables autonomous external actions like pushes, PRs, review replies, and Telegram posts based on untrusted issue/review content. The biggest concern is operational scope and credential handling, not confirmed malware.