discover-a-skill

This SKILL.md is a benign-looking manifest describing how the askill agent should discover, install and run skills. However, its install and execution model creates a moderate-to-high supply-chain and privilege-risk: it allows installing and automatically running code from arbitrary GitHub repos and other sources, references local credentials and lock files, and encourages automated (-y) non-interactive installs and setup runs. The document itself contains no direct malicious code or obfuscation, but it defines a workflow that could be abused to harvest credentials or execute malicious payloads via third‑party skills. Recommend treating installs from untrusted sources as high risk: require pinned commits, signatures, manual approval, and limit access to credentials and network capabilities for installed skills.