update-skills

SUSPICIOUS. The skill's stated purpose matches its behavior, but that behavior is inherently high-trust: it updates or reinstalls other skills from remote GitHub-hosted sources through a transitive trust chain. There is no sign of credential theft or covert exfiltration, yet the combination of third-party GitHub sourcing, project/global modification, and skill-to-skill installation/update makes this a high supply-chain risk rather than a benign low-risk utility.