create-mr

SUSPICIOUS: the skill’s purpose is coherent, but it relies on a non-official ai-review CLI, reads a local credential file, and routes GitLab actions through third-party code that handles PAT-backed API operations. This is not confirmed malware, but the credential-forwarding and install-trust model make it higher risk than a direct GitLab integration.