developing-tessl-skills

The workflow description is functionally reasonable for preparing Tessl skills, but it demonstrates moderate supply-chain and operational risks: unpinned pipe-to-shell installer, lack of installer integrity verification, credential usage without storage/telemetry detail, and an automated remote-driven edit step that can write to repository files and be auto-accepted. There is no direct evidence in this document of obfuscated malicious code or explicit data-exfiltration routines, but the operational patterns could enable abuse if Tessl infrastructure or distribution is compromised. Recommended mitigations: avoid curl|sh installers (offer pinned checksums or package manager installs), require explicit manual review before accepting automated edits, document exactly what data the CLI transmits and how credentials are stored, and recommend verifying installer signatures and using least-privilege tokens for CI/automation.