booking-notify

SUSPICIOUS: the notification purpose is plausible and the requested credentials are mostly proportionate, but the actual execution path depends on unpinned local code from another plugin, a nonstandard local Cal.com binary, and an optional third-party webhook relay. The main concern is supply-chain and intermediary trust, not confirmed malware.