skill-installer

This skill's stated purpose (listing curated skills and installing skills from GitHub into $CODEX_HOME/skills) is consistent with the capabilities described. Primary risks are supply-chain in nature: downloading and writing code into the agent's skill directory and enabling installation of arbitrary third-party skills (transitive trust). The installer legitimately requires network access and may use GITHUB_TOKEN or existing git credentials for private repos; that is expected but increases credential-exposure risk if tokens or git credentials are mishandled by the environment or by installed skills. There is no evidence in the provided description of direct malicious behavior (no hardcoded attacker domains, no exfiltration code, no obfuscation). Recommended mitigations: restrict installs to curated sources by default, surface clear warnings before installing from arbitrary repos, avoid embedding tokens in command lines, ensure installed skills are validated (checksums/signatures or manual review), and avoid allowing automatic overwrite of .system skills without explicit, irreversible user confirmation.