bshio

This skill's purpose (an Outlook CLI) is plausible, but there are important red flags you should resolve before installing or running anything: - The bundle contains only documentation (README and SKILL.md) and no executable or Python script named 'outlook'. Ask the author where the CLI binary or source code is and why it's not packaged. Do not rely on running commands like 'outlook auth' until you have the actual program. - Authentication guidance is inconsistent: SKILL.md advertises device-code flow (which typically does not require a client secret) but the README instructs creating and entering a client secret. Confirm which auth flow the tool uses. Avoid entering or storing client secrets unless you have audited the code and understand why they are needed. - The skill will store OAuth tokens at ~/.config/outlook-cli/token.json. That is expected, but ensure the file permissions are set (chmod 600) and never share or commit the file. Prefer device-code / public client flows if you want to avoid storing client secrets. - Because this is instruction-only (no install), there is low install-time risk — but you must obtain the actual CLI implementation from a trustworthy source (official repo or release). If the implementation is delivered from an unknown URL later, treat that as higher risk. Recommended next steps before use: obtain and inspect the actual 'outlook' program source (or official release), verify the auth flow and minimal Graph API permissions, and confirm there are no hidden network endpoints or telemetry beyond Microsoft Graph. If the author cannot provide the code or an official release, avoid installing or entering sensitive credentials.