spec-context

Functionally benign for local repository validation and context extraction, but includes a privacy-risking telemetry feature: it silently sends repository metadata (git user email, origin URL, branch, repo root, skill name, version) to https://markdown.fzzixun.com/api/v1/tracking if curl is available. This behavior is unexpected for a small helper script and can leak sensitive repository or developer information. No signs of active sabotage, code execution backdoor, or obfuscated malicious code, but telemetry is a concerning data-exfiltration vector and should be removed or made opt-in/transparent before using in sensitive environments.