fjo

SUSPICIOUS: the stated purpose is coherent, but the skill depends on a non-official X-CMD wrapper and forwards Forgejo tokens into that third-party runtime. There is no direct evidence of malware or exfiltration, yet install trust and credential-handling are weaker than an official Forgejo integration and are not clearly disclosed in the skill.