pidgin-share

SUSPICIOUS. The skill’s capabilities mostly match its stated sharing/response purpose, and there is no clear malware pattern, remote installer, or overt credential theft. However, it relies on a locally shipped wrapper and sends artifacts, response payloads, and auth-backed actions through a relatively opaque third-party `pidgin.sh` service with limited public verification, so trust and data-flow transparency are weaker than expected.