install-script-generator

The skill presents a coherent, high-utility approach for generating installers and supporting documentation. However, its reliance on delivering and executing a script directly from a GitHub raw URL (curl|bash) without explicit verification or pinning introduces notable supply-chain and execution-risk. Given the potential for malicious hosting or tampered scripts, the footprint is suspicious relative to the stated safe-builder intent. No credentials or secret data are required by the skill itself, which is positive, but the common one-liner delivery pattern requires mitigations (e.g., checksum verification, GPG signing, or in-script verification) to be deemed benign in practice.