appstash-cli

This skill is a documentation and example set for a benign-sounding utility that resolves and manages per-tool directories (config, cache, data, logs, tmp) and provides small helpers for reading/writing config, caching, logging, and triggering update checks. It reads/writes local files (including storing tokens in clear JSON files) and honors environment variable overrides. The primary concern is safe handling of credentials on disk and the fact that update checking delegates network activity to a third-party package (@inquirerer/utils) whose endpoints and behavior are not shown here; that dependency could be a vector for telemetry or metadata collection. There are no signs of obfuscation, download-and-execute chains, command injection, or direct credential exfiltration in the provided snippets. Overall risk is low-to-moderate due to credential storage practices and reliance on an external update-check utility — review the @inquirerer/utils implementation and ensure config files are created with restrictive permissions if secrets are stored.