hermes-desktop-companion

SUSPICIOUS. The skill’s capabilities largely match its stated desktop-companion purpose, but its trust model is weak and broad: unsigned binaries, security-control bypass instructions, same-org-unpinned installer usage, third-party skill installation, many credential types, and autonomous outbound messaging. This looks more like a high-risk agent control plane than clear malware, but the scope and supply-chain posture are disproportionate enough to treat as suspicious.