contact-to-email

The skill’s stated purpose (email discovery and verification from various starting points) is broadly aligned with its described workflows and external service integrations. However, the install flow (curl | bash installation from an unverifiable external URL) and the multiple outbound data flows to external services without verifiable security controls introduce significant supply-chain and data-exfiltration risks. The presence of an unverifiable binary installation path combined with credential/data transmission to third-party enrichment/validation services warrants a Suspicious to High risk assessment. Security risk is elevated due to unverifiable binary installation and broad external data flows; malware likelihood cannot be ruled out without source/binary provenance verification. Recommend avoiding curl | bash install paths, pinning/download-signing checksums, and ensuring all external service communications are properly authenticated, encrypted, and auditable before use.