skill-installer

The package implements a legitimate skill installer but carries moderate-to-high supply-chain risk because it fetches and writes remote code into the agent's skills directory and supports arbitrary GitHub sources and authenticated access. Primary risks are transitive code execution (installing unvetted or malicious skills), credential exposure when using tokens or system git credentials, and potential overwriting of trusted system skills. Treat this component as security-sensitive: enforce strict source allowlisting (prefer curated list), require explicit user/human approval for installs from non-curated sources, add integrity verification (pinning/signatures), restrict credential usage and avoid automatic forwarding to subprocesses, and disallow or heavily guard overwriting of .system skills.