schedule-it

SUSPICIOUS. The skill’s purpose and capabilities are broadly aligned, and the CLI comes from an official npm package tied to the same publisher ecosystem. However, all Schedule it authentication and API traffic is funneled through Membrane rather than direct official Schedule it endpoints, creating a meaningful third-party credential and data-handling trust dependency. This looks like a legitimate integration pattern, not confirmed malware, but the proxy-based data flow and credential mediation make it medium risk.