Skills
skills/mindverse/second-me-skills/secondme/Gen Agent Trust Hub

secondme

Pass

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill performs update checks using npx skills update and fetches third-party skill bundles from app.mindos.com. These downloads are directed to the vendor's official infrastructure.
  • [DATA_EXFILTRATION]: Usage and feedback telemetry are synchronized to the vendor's domain (app.mindos.com). The skill implements a consent flow that prompts the user to choose between 'Community' (full telemetry), 'Anonymous' (stripped PII), or 'Off' modes before any data is collected.
  • [COMMAND_EXECUTION]: Local shell and Python scripts are utilized to manage configuration files in ~/.secondme/, generate PKCE (Proof Key for Code Exchange) parameters for secure authentication, and handle the local storage and batching of telemetry logs.
  • [REMOTE_CODE_EXECUTION]: Through the 'Third-Party Skills' feature, the agent can install and sync additional skill bundles (containing markdown and prompt files) from the official SecondMe skill catalog. This is a built-in extensibility feature of the platform.
  • [CREDENTIALS_UNSAFE]: The skill manages authentication tokens stored in ~/.secondme/credentials. This storage is required for the skill to interact with the SecondMe API on behalf of the user. The login process follows secure practices using PKCE to protect the authorization flow.
Audit Metadata
Risk Level
SAFE
Analyzed
May 9, 2026, 11:29 AM