changelog-gen

The skill’s core behavior is coherent with changelog generation, but it relies on executing a remote npm package and sending local commit history plus an API key through that package to an external AI service. This is better classified as suspicious/medium risk rather than malicious due to supply-chain trust and data exposure concerns, especially without independent verification of the package publisher.