soc-compass

SUSPICIOUS. The skill is mostly coherent with a SOC investigation assistant: it reads workspace state, asks the user to run SIEM queries, and writes reports/verdicts back. The main concern is data-flow integrity: sensitive investigation data and the API key are sent to a Convex-hosted tenant domain that is not clearly verified in the skill as an official SOC Compass API origin. This is not enough to call it malicious, but it is a meaningful trust and confidentiality risk for security-sensitive workflows.