installing-skills

The code fragment presents a legitimate remote-install capability but introduces notable supply-chain and runtime risks due to unvalidated downloads and a hardcoded install path. It is not inherently malicious, but requires robust safeguards (integrity verification, allowlisting, sandboxing, and least-privilege execution) to reduce risk before production use.

The package is an installer that pulls SKILL.md and possibly other repository assets from a public GitHub repository into the agent's skill directory. There is no direct evidence of malicious code in the provided documentation itself, but the installation pattern exhibits multiple supply-chain weaknesses: download-and-execute behavior (via a local install script), lack of integrity/pin/signature verification, automatic trigger-based installs, and placing unvetted files into the agent's execution path. These factors constitute a moderate-to-high security risk for agents that auto-load or execute content from /mnt/skills/user. Recommendations: require explicit, per-install operator confirmation; pin to commit SHAs or signed release artifacts; validate content (checksums/signatures); avoid automatically running install scripts downloaded from the repo without manual review; restrict network/file system privileges for installed skills or sandbox their execution; and log/alert on installation events for review.