intercom-crm

The skill's functional purpose (Intercom CRM integration) is benign and typical. However, the installation and authentication recommendations introduce substantial supply-chain and credential-exposure risks: unverified remote install scripts (curl|bash), a transitive canifi-env installer, optional storage of plaintext passwords, and use of Playwright CDP to access browser sessions. These combined patterns justify treating the package as moderate-to-high operational risk until the installer sources and canifi-env implementation are audited and installers are delivered with verifiable signatures or checksums. Do not run the provided curl|bash commands on production machines without code review or sandboxing; prefer OAuth and secure secret storage mechanisms.