skill-installer

The skill-installer performs legitimate, necessary actions to install skills from GitHub but embodies moderate to high supply-chain risk. Key risks: installing arbitrary (uncurated) repos into a runtime, use and potential forwarding of credentials (GITHUB_TOKEN/GH_TOKEN and system git credentials), fallback to host git tooling, and the ability to overwrite system-managed skills. I do not see evidence of explicit malicious code in this description, but the installer significantly raises the attack surface for downstream code execution. Operational mitigations: require curator review before installing untrusted skills, avoid passing long-lived tokens, prefer pinned commits or signed artifacts, run installs in isolated environments with least privilege, and restrict ability to overwrite .system skills.