skill-builder

The skill-builder document describes a governance/optimization tool with an external updater that fetches and executes a remote installer. This creates a significant supply-chain risk and potential for code execution outside the controlled repository, which is incongruent with a tightly scoped, auditable skill-management capability. The combination of a download-&execute updater, unverifiable binary provenance, and remote code execution flow warrants a SUSPICIOUS risk posture, with securityRisk elevated due to the external installer pattern. Best practice would require pinning installers, using official registries, checksums/signatures, and providing a verifiable bootstrap mechanism rather than direct curl|bash execution from a raw URL.