octocode-install

SUSPICIOUS: the skill is broadly aligned with its claimed installer purpose, but it carries medium-high security risk because it runs unpinned third-party npm code, forwards GitHub credentials to Octocode tooling, and installs additional skills into multiple AI clients. No clear evidence of malware or hidden exfiltration is present in the text, but the supply-chain and transitive-trust footprint is larger than a minimal setup helper.