booking-config

The skill fragment is purpose-aligned for Cal.com configuration via CLI and API webhooks. However, it introduces data flow risks by extracting the API key from a vault and embedding it directly into curl requests as a query parameter, which can be exposed in logs, command history, or process snapshots. The use of a webhook relay URL adds another external data path. Overall, the design is plausible for a legitimate integration but constitutes a MEDIUM-to-HIGH risk pattern due to credential exposure and external network flows; treat as suspicious until credentials handling is hardened (e.g., using Authorization headers instead of query params, avoiding shell exposure, and ensuring logs do not capture secrets).