m5-onboard

SUSPICIOUS. The skill’s capabilities largely match its device-onboarding purpose, and data flow stays aligned with flashing/provisioning. The main concern is install trust: it relies on an unpinned personal GitHub repo for the shipped scripts/app bundle and may bootstrap tooling via package managers or GitHub downloads. No strong signs of credential theft, covert behavior, or unrelated exfiltration were found, but the host/device modification footprint is broad enough to warrant medium risk.