synapse

SUSPICIOUS. The stated purpose mostly matches its local file access, but the automatic generation of new skills without user review is disproportionate and creates a high-risk transitive trust chain. Install provenance is same-repo and not overtly malicious, yet mutable ZIP distribution plus unattended cron/git-hook execution raises meaningful security risk.