github-copilot-cli

SUSPICIOUS. The core GitHub Copilot CLI documentation is coherent and mostly benign, using official GitHub install/auth paths. Risk rises because the skill also encourages optional MCP integrations that fetch third-party packages with `npx -y` and pass tokens/DB credentials into them, creating transitive trust and credential-forwarding exposure beyond the core stated purpose.