slack-standup-digest

SUSPICIOUS: the skill’s purpose is coherent, but it routes Slack-derived content and an API key through an OpenHands automation backend with a runtime-supplied host, and it can auto-post scheduled summaries without per-run approval. No clear malware or deceptive installer behavior is present, but cross-service data flow and autonomous posting make it a medium-risk skill.