calendarific

SUSPICIOUS: The skill’s purpose is plausible, and the CLI comes from an official npm package tied to the same vendor, so this is not outright malicious. However, the integration is not a direct Calendarific client: it requires a Membrane account, routes API access through Membrane, and stores/refreshes credentials server-side, making the data flow broader than a typical single-service skill. Overall risk is medium due to third-party credential mediation and unpinned CLI execution, not confirmed malware.