skill-installer

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] No direct signs of malicious code or backdoors in the reviewed manifest/instructions. Primary concerns are supply-chain and credential-handling risks: unpinned direct downloads from branch heads (default 'main'), use of powerful GitHub credentials to fetch arbitrary code, and the ability to overwrite local skills including system-provided ones. These behaviors are legitimate for a skill-installer tool but should be hardened: enforce pinning, add integrity/signature checks, minimize credential scope, and require explicit user confirmations and provenance logging prior to installation. Treat this as a moderate to high supply-chain risk in absence of those mitigations. LLM verification: This skill installer’s documented behavior is functionally consistent with its purpose (listing and installing skills from GitHub), but it carries a significant supply-chain risk: it can download and install arbitrary code from arbitrary GitHub repos (including private ones using provided tokens or local git credentials), may require sandbox escalation to perform network operations, and allows overwriting existing skills. There is no mention of integrity verification (signatures or checksums) or