od-contribute

No direct malware or explicit exfiltration/backdoor behavior is present in this installer fragment. However, it is a high-impact supply-chain installer: it fetches and installs remote repository content without any cryptographic integrity/authenticity verification, allows user-controlled branch selection, and preserves a credential-like .gh-token across reinstalls. If the upstream repository/branch (or the served tarball contents) is compromised, this script can propagate malicious agent skill/command content into the user’s agent environments with persistent token availability.