eightctl

The eightctl skill is plausibly aligned with its stated purpose of controlling Eight Sleep pods via a CLI, but it exhibits notable security concerns: it installs an unverifiable binary from a GitHub Go module, and it handles credentials via both a local config file and environment variables. Data flows involve authenticating to an unofficial API, which could risk credential exposure or data leakage if not properly secured. Overall, the footprint is suspicious rather than clearly benign, due to the unverifiable binary distribution and credential handling without explicit security controls. Treat as HIGH risk until provenance and signing/verification are clarified, and ensure strict access controls on credentials and verified release sources before usage in a production environment.