gl

SUSPICIOUS: the skill’s purpose is coherent, but it depends on a non-official third-party CLI and forwards GitLab tokens into it. The installer provenance is same-org and public, so this is not confirmed malware, but the remote installer and credential-forwarding pattern create medium security risk.