jazz-schema-migrations

The script itself is not malicious: it is an installer wrapper that delegates installation to local or remote installers. The primary security risk is supply-chain: it executes external code (local binary, local TypeScript, or npm package) without verification. Recommended mitigations: audit installer/src/installer.ts before running; prefer preinstalled 'agent-skills' from a trusted package manager; avoid npx fallback in sensitive environments or pin and vendor the installer artifact; run installers in constrained environments (containers/limited-privilege users) where possible; verify package signatures/checksums if available.