tag-duplicate-prs-issues

SUSPICIOUS: the skill's triage purpose broadly matches its GitHub-focused capabilities, but it expands trust through transitive skill installation, unpinned curl|bash installers, and authenticated third-party CLIs that can write back to GitHub. This is not clearly malicious, but the install and delegation model is riskier than necessary for a duplicate-tagging workflow.