bambora

SUSPICIOUS. The skill's capabilities broadly match its stated Bambora integration purpose, and the Membrane CLI install path is from an official registry tied to the publisher. The main concern is data-flow integrity: Bambora credentials and API traffic are mediated by Membrane rather than sent directly to official Bambora endpoints, creating third-party credential forwarding and proxy access to payment-related data. This is not clearly malicious, but it is a meaningful trust and privacy risk for a payment integration skill.