secondme-external-skill-catalog

SUSPICIOUS: the skill's purpose matches its behavior, and endpoints appear first-party to MindOS, so this is not confirmed malware. But it is materially risky because it reads a token, downloads remote skill bundles, and installs prompt-injection files exactly as returned with no integrity verification or review, creating a high transitive-trust and prompt-injection exposure.