github-copilot-cli

The skill is coherently aligned with its stated purpose of guiding installation, authentication, usage, MCP, and extensibility for GitHub Copilot CLI. However, there is a notable security concern: the recommended installation method includes a curl|bash pipeline from a remote URL (gh.io/copilot-install). This pattern is a download-and-execute vector and increases risk of supply-chain compromise or tampered installers. Authentication guidance via GH_TOKEN is standard but should emphasize scoped tokens and avoiding exposure in logs. The skill’s data flows involve local configuration files and environment variables, which is expected for CLI tooling but require careful handling to avoid credential leakage. Overall, the footprint is proportionate to a developer tooling guide, but the download-execute pattern elevates security risk to Suspicious (and near this level for unverifiable binary distribution); treat as suspicious until a verifiable, signed installer from an official registry is provided. Risk increases if third-party or transitive installation of MCP/skill components is introduced without strict verification.