luma-event-attendees

SUSPICIOUS. The skill’s core behavior matches its stated purpose, and install instructions use official channels, but the paid feature depends on a third-party community Apify actor and forwards an API token to that external service. That makes the trust boundary broader than a simple scraper and creates medium security risk, though there is no clear evidence of hidden exfiltration or outright malware.