finalize

SUSPICIOUS: The visible workflow is mostly coherent for a finalize/QA skill and uses official Git/GitHub surfaces, but it chains several unspecified slash skills and can perform external repository actions like push and PR updates. The main risk is opaque transitive trust and semi-autonomous publishing behavior, not confirmed malware or credential theft.