gangtise-copilot

No overt malware logic is present in this installer wrapper; it mainly performs download, extraction, copying, and symlinking of skill bundles. However, it introduces significant supply-chain risk by installing remote ZIP content without cryptographic integrity/authenticity checks and extracting archives without script-enforced safety controls. Additionally, the --only value is not sanitized before being used in filesystem paths and symlink targets, which increases the risk of unintended filesystem targeting if an attacker can influence inputs. Treat as a security-sensitive installer and mitigate via artifact verification (e.g., signed bundles/checksums) and safer handling of user-controlled skill names and archive paths.