scaffold

SUSPICIOUS. The skill’s purpose and capabilities mostly align for scaffolding, and I see no direct credential harvesting or outbound exfiltration. However, it requires executing an external hoyeon-cli binary whose provenance is not verified in the provided evidence; that alone makes the install/execution trust high risk under the mandated scoring rules. The rest of the behavior is largely coherent and locally scoped.