pageduty-oncall

Functionally, the package performs expected actions to gather PagerDuty incidents and produce a local report. The primary risks are supply-chain and credential exposure: a third-party pd CLI and local node script (and their dependencies) will receive the PAGEDUTY_API_TOKEN and could exfiltrate data if malicious or compromised. Lack of an endpoint allowlist and absence of least-privilege token guidance are notable weaknesses. Recommended mitigations: review scripts/fetch-pd.js and the pd CLI source code before use; run in an isolated environment (ephemeral VM or container); use a scoped, read-only PagerDuty token limited to necessary scopes; confirm network allowlist and audit dependencies; secure or delete temporary files after use. No direct evidence of malware in the provided text, but moderate supply-chain risk warrants code review prior to execution.