miot-calendar

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The prompt explicitly allows passing credentials via --token flags on every CLI call (which would require embedding secret values verbatim into generated commands), creating a high exfiltration risk even though safer env/profile options are mentioned.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill recommends running the CLI via "npx @microboxlabs/miot-cli", which at runtime fetches and executes code from the npm registry (e.g. https://registry.npmjs.org/@microboxlabs/miot-cli), so it is a required external dependency that executes remote code.