copilotkit-self-update

SUSPICIOUS: the skill's purpose matches its behavior, but its sole function is to run a remote `npx`-based installer that fetches and installs fresh skills, creating a transitive trust chain and unreviewed supply-chain exposure. There is no strong evidence of credential theft or malware, but the update mechanism is higher risk than a normal documentation-only skill.