vikunja

SUSPICIOUS: The stated purpose mostly matches the described capabilities: reading Vikunja tasks and syncing them into Joplin. The main concern is transitive trust—the skill requires installing a separate Joplin skill from a GitHub repository, which expands the trust boundary without showing what that skill does. The Vikunja token and API URL are proportionate to the task, and the configured API appears consistent with a self-hosted Vikunja instance, but the lack of code means credential handling and exact data flows cannot be confirmed. Overall this looks more like a plausible integration skill than outright malware, but it carries medium risk due to unverifiable transitive skill installation and unseen implementation details.