gh-bootstrap

The code fragment describes a bootstrap workflow that downloads templates from external URLs and performs variable substitution to generate project files. The primary security concern is the reliance on external templates from unspecified sources, which could introduce malware, backdoors, or misconfigurations into the target project. Without provenance verification, input validation, or sandboxing for template content, this pattern poses a moderate to elevated supply-chain risk depending on template source trust and enforcement of secure download practices.

SUSPICIOUS: The stated purpose matches repository bootstrapping, but the skill’s trust boundary depends on unseen template repository URLs in template-catalog.md. Main risks are unverified remote template provenance and indirect prompt injection from fetched content combined with Bash/Write access; there is no clear evidence of credential theft or overt exfiltration in the provided snippet.