aleph-alpha

SUSPICIOUS. The skill’s purpose broadly matches Aleph Alpha integration, and the CLI install source appears legitimate via official npm/vendor channels. However, the actual data flow is indirect: authentication, credentials, and API operations are mediated by Membrane rather than going directly to Aleph Alpha. This third-party gateway model is proportionate to the stated Membrane-based workflow but weakens data-flow integrity and expands trust to server-side credential storage/logging. No clear malware or deceptive installer behavior is present, but the intermediary routing and credential handling make this higher risk than a direct official API skill.