build-skill

This module is not evidence of direct malware (it does not execute downloaded artifacts, does not contain credential theft/exfiltration logic, and does not use obfuscated/dynamic execution). However, it is a supply-chain-relevant orchestrator that discovers and triggers parallel downloads of third-party skill repositories based on scraped URL data, while delegating all high-risk networking and any repository processing/execution behavior to `scripts/skill-dl`. The main risks in this wrapper are trust/target-control weaknesses (minimal validation and using URL-derived values to drive downloads), reduced observability (stderr suppressed during discovery), and unvalidated destination path usage. Review `scripts/skill-dl` for any post-download execution, network callbacks, or data exfiltration and consider adding allowlists and stronger validation of discovered URLs/targets.