cronofy

SUSPICIOUS. The skill’s overall purpose is coherent, and the install source is an official npm package tied to the stated publisher ecosystem, so this is not strong evidence of malware. However, all Cronofy access is routed through Membrane rather than official Cronofy APIs, the CLI is installed unpinned at `@latest`, and authenticated calendar data/operations depend on a third-party mediation layer with logging/credential handling on that platform. This is a legitimate-looking integration with medium security risk due to intermediary data flow and delegated credential handling, not confirmed malicious behavior.