superme

SUSPICIOUS. The skill’s capabilities largely match its supermarket automation purpose and its network flows stay on official vendor domains, so this is not clearly malicious. However, it auto-installs an external CLI, exports auth cookies, stores tokens in plaintext /tmp files, and performs real account actions; that makes it a medium security risk despite generally coherent purpose alignment.