lark-cli-setup

SUSPICIOUS. The core purpose largely matches installing the official Lark CLI, but the skill is not proportionate: it hardcodes a reusable App Secret, automatically installs a second skill bundle with 19 additional capabilities, and expands the agent into real-world messaging/document/mail actions. Official npm provenance lowers malware confidence, but plaintext credential exposure and transitive skill installation make the overall security posture high risk.