contacts

SUSPICIOUS: the skill's purpose is coherent and mostly read-only, but it relies on an unpinned external `lark` CLI whose strongest attribution is a third-party personal repository rather than an official Lark distribution. Because the skill asks the user to grant OAuth contacts scope to that CLI, the main risk is credential/token forwarding and trust in off-platform code rather than overt malicious behavior.