pre-ship-review

SUSPICIOUS: The skill’s core review behavior is coherent and mostly benign for a pre-ship QA workflow, but its footprint is broadened by transitive skill orchestration and self-modification instructions. The main concrete security issue is install trust: the documented `pip install pyright` path uses an unofficial third-party wrapper rather than the primary publisher distribution, making the toolchain less trustworthy than the skill implies. No credential harvesting, exfiltration endpoints, or clearly malicious data flows are present.