skill-manager

This bash fragment is primarily a deployment/installer utility with no clear direct malware (no exfiltration, backdoor, or obvious credential theft) in the shown code. However, it carries meaningful supply-chain risk: it fetches arbitrary GitHub content without integrity/provenance verification and installs it into a directory likely used by other tooling, while also creating symlinks to user-controlled filesystem paths and executing local helper scripts (record.py/security.py) if present. The actual malware probability depends heavily on the contents of record.py/security.py and the downstream consumer of the installed skills/commands.