bolt-iot

SUSPICIOUS. The skill’s capabilities generally match its Bolt IoT purpose, and the CLI comes from an official npm scope tied to the publisher. However, all auth and API traffic are routed through Membrane rather than directly to Bolt IoT, creating a third-party credential/data mediation layer, and the skill enables real device-control actions. This is coherent but medium-risk due to intermediary trust, mutable CLI install, and autonomous operational impact.