skill-install

SUSPICIOUS: the skill is mostly aligned with its stated purpose and does not harvest credentials or exfiltrate data, but it performs transitive skill installation from an external GitHub repo and updates from an unpinned mutable branch. This is a moderate supply-chain risk rather than malware.