JustCalendar

This skill appears to describe and document a legitimate CLI and is coherent with its stated purpose, but take the following precautions before installing or using it: - Verify provenance: confirm the npm package name and publisher (npmjs.com) or the GitHub repository owner before running npm install -g or git clone. Malicious packages can be published under similar names. - Token handling: avoid pasting the token directly into a shell command if you can. Passing credentials on the command line can expose them in shell history and to other users on the same machine (ps). Prefer interactive login, environment variables, or storing the token in the CLI's config if the tool supports secure storage. If you must use the CLI argument, remove the command from shell history and rotate/revoke the token if it may have been exposed. - Least privilege: review what Google Drive permissions the Just Calendar web app requests when you connect it (ideally read/write limited to a justcalendar folder). Only grant permissions you understand and are comfortable with. - Review local config: the CLI writes ~/.justcalendar-cli/config.json and expects JustCalendar.ai files in Drive; inspect these files if you want to verify stored tokens or data before trusting them. - If you install globally, prefer verifying package integrity (checksums, signed releases) or installing in a virtual environment/container if you're unsure. If you want, I can: (1) show commands to install safely in a local project rather than globally, (2) suggest safer ways to provide the token (env var or interactive prompt) depending on what the CLI supports, or (3) help verify the npm/GitHub package metadata before you install.