harness-update

SUSPICIOUS: the skill’s actions mostly fit its stated migration/update purpose, but it relies on an unpinned GitHub clone-and-execute installer from a low-verifiability repo with no release trail. Data flow stays local except for the GitHub fetch, and requested file changes are proportionate, so this looks more like supply-chain/install-trust risk than confirmed malicious behavior.