signal-scanner

SUSPICIOUS. The skill is largely aligned with its lead-scanning purpose and uses official vendor platforms, but it expands trust to third-party Apify actors, handles a high-privilege Supabase service role key, and can make consequential database/status updates. No clear malware or deceptive exfiltration is shown, yet the credential scope and third-party data-processing path make it medium risk.