booking-notify

SUSPICIOUS: the core notification purpose is plausible, but the actual footprint is broader than necessary. The main concerns are reliance on an unverifiable custom binary from another plugin, transitive trust in calcom-commander, and routing optional notification flows through a custom Cloud Run relay. Official Telegram/Pushover use is normal, but the local executable and intermediary relay make the overall skill high-risk rather than benign.