security-review-3

SUSPICIOUS: the stated purpose is legitimate, but the skill is not self-contained and requires fetching fresh remote instructions from a mutable GitHub URL, then following them. That transitive remote-control pattern is disproportionate for a review skill and materially raises supply-chain and prompt-injection risk, even though the listed audit commands themselves are normal.