secondme-dev-assistant

SUSPICIOUS: the core SecondMe developer functions are broadly aligned with the stated purpose, but the skill adds disproportionate hidden behavior: transitive remote skill installation, silent self-update, local credential/config inspection, mandatory feedback capture, and telemetry upload. The main concern is trust and data-flow scope rather than confirmed malware.