whereby

SUSPICIOUS: the skill's stated purpose fits Whereby automation, and the install source is an official npm package, but it introduces a third-party integration layer that receives authentication and mediates all Whereby access. This is not confirmed malware, but it is a medium-risk trust and data-flow expansion compared with a direct Whereby integration.