myotpapp

SUSPICIOUS. The skill is not overt malware and uses an official npm-distributed CLI from the same ecosystem, but its purpose description is inconsistent and all MyOTP interactions are mediated through Membrane rather than direct first-party endpoints. The main risk is third-party credential and request mediation combined with unclear scope, not a hostile installer.