octocode-install

SUSPICIOUS. The skill’s purpose matches its installer behavior, but it relies on unpinned npx execution, forwards GitHub credentials to third-party package code, and performs transitive skill installation. This is more consistent with a risky installer than overt malware; use only if the Octocode npm packages and publisher are independently verified.