skills/yjwong/lark-cli/calendar/Socket

calendar

Warn

Audited by Socket on Mar 30, 2026

1 alert found:

Security

SecuritySKILL.md

MEDIUM

SecurityMEDIUM

SKILL.md

SUSPICIOUS: the skill's calendar capabilities are well aligned with its stated purpose, and its data flows appear intended for legitimate Lark calendar operations. The main issue is install/execution trust: it depends on an ambiguously sourced `lark` binary whose evidenced command set matches a personal GitHub CLI that handles real auth tokens and private calendar data, creating a high supply-chain and credential-forwarding risk even without direct evidence of malicious behavior.

Confidence: 85%Severity: 78%

Audit Metadata

Analyzed At

Mar 30, 2026, 03:21 AM

Package URL

pkg:socket/skills-sh/yjwong%2Flark-cli%2Fcalendar%2F@e21526c6dad2e8377fe164387c348374788333c1