secondme

SUSPICIOUS: Most capabilities align with a SecondMe user workflow and the API endpoint appears first-party, so this is not clearly malicious. The main risks are the silent auto-update behavior, raw credential-file handling, and especially the built-in ability to install additional third-party skills, which expands trust beyond the stated core workflow.