skill-group

SUSPICIOUS: the stated purpose matches its behavior as a meta-orchestrator, but its footprint is risky because it instructs transitive installation and full execution of third-party sub-skills, defaulting to a personal GitHub registry unrelated to the CLI publisher. No confirmed malware or direct credential theft is present in this skill alone, but it meaningfully expands trust and prompt-injection surface.