gastown-upstream-sync

This is a maintenance/instruction skill for responsibly syncing a gastown fork with upstream. Its stated purpose and capabilities are coherent: it enumerates detection steps, safe flows for handling conflicts, mandatory build/test steps before pushing, and a checkpoint before any remote pushes. The primary security concerns are operational: the file prescribes destructive Git operations (resets, force-pushes, branch deletions) which can cause data loss or disruption if executed without correct context or human approval. It also depends on local GitHub credentials (gh, git, SSH keys) and will use them to push changes; that is expected for the task but means an agent running these steps must be trusted and require explicit user confirmation. There are no signs of hidden exfiltration, obfuscated code, remote download-execute chains, or requests to unknown third-party endpoints. Overall this skill is functionally appropriate for its purpose but carries medium operational risk due to destructive git operations and history-rewriting pushes — it should only be executed by a trusted human operator or an agent with strict approval gates.