pulse

SUSPICIOUS: the skill's core behavior matches its stated purpose of automatic knowledge sync, but it introduces medium risk through autonomous hooks/cron execution, remote transmission of potentially sensitive workspace content, and an opaque local sync script. There is no strong evidence of malware or a malicious installer, yet the combination of background triggers plus credentialed API calls to a custom vendor endpoint warrants caution.

SUSPICIOUS: The skill’s capabilities mostly align with its purpose, and there is no download-execute chain or obvious credential-harvesting proxy. However, it sends sensitive business summaries and an API key to a remote service whose exact API documentation and publisher relationship are only weakly verifiable, and it supports unattended scheduled output. This is better classified as medium risk/suspicious rather than malicious.

SUSPICIOUS: The skill is broadly consistent with a Pulse onboarding/memory-sync workflow and does not show classic malware patterns, but it uploads local documents and user profile data to a lightly verifiable service and creates a broad share link. Risk is moderate due to data-transfer scope, share creation, and weak public trust evidence around the service/domain setup rather than overt malicious behavior.

This snippet itself does not demonstrate explicit malicious behavior (no secrets, network calls, or exfiltration are shown). However, it creates an event-triggered local shell execution path to two scripts via relative paths. In a supply-chain scenario, compromise of either referenced script would translate into arbitrary code execution at runtime when the relevant events occur. Review and integrity-protect pulse-activator.sh and sync-detector.sh, and ensure the execution context/workdir and file provenance are securely controlled.