but

The GitButler skill presents a coherent purpose—replacing standard git interactions with a specialized 'but' workflow and providing installation and workspace-management features. However, there is a notable supply-chain risk due to the installation instruction that downloads and executes a script from an external domain (https://gitbutler.com/install.sh) without verifiable provenance, checksums, or registry-backed verification. This pattern warrants a securityRisk above baseline (suspicious to high risk) and, given the explicit unverifiable binary installation, should be treated as at least high risk until provenance and integrity can be verified. Data flows are largely contained to standard local workspace operations and remote git endpoints, but the installation path constitutes a critical data-flow and trust concern. Overall, the risk is elevated (securityRisk around 0.7) due to the installer pattern, with malware likelihood not confirmed but non-negligible without better supply-chain safeguards.