sophnet-skill-installer

The skill aligns with its stated purpose of discovering and installing Sophnet skills from a default GitHub repo with a fallback, and it includes version comparison logic. However, there are notable security concerns: transitive installations from unverified external repos, optional but potentially risky handling of GitHub tokens, and the use of scripts that download and write to the workspace which could be manipulated if inputs are not strictly validated. The data flows depend on external sources (GitHub APIs) and credentials could be exposed through logs or environment variables. Overall, the footprint is SUSPICIOUS rather than clearly BENIGN, due to supply-chain and credential-exposure risks inherent in remote installs and multi-source behavior. Recommend tightening: restrict to verified repositories, enforce strict input validation, avoid logging sensitive tokens, and consider pinning skill sources with checksums/signatures.