eightctl

The skill is coherent with a purpose-built CLI for Eight Sleep pod control and includes reasonable credential handling for a local user. However, the installation pathway relies on an unverifiable GitHub Go module downloaded as 'latest', which introduces a non-trivial supply-chain risk. Given the combination of unverifiable binary installation, credential handling, and network calls to an unofficial API, the overall risk is elevated. The skill should be treated as SUSPICIOUS with a securityRisk assessment elevated toward high due to the binary supply-chain risk, unless the module is replaced with a verifiable, pinned release from an official registry or signed artifact. If a developer can pin to a verified release and provide checksums, the risk score would drop substantially.