branch

SUSPICIOUS: the skill is broadly coherent as a Membrane-based integration, and the install path is official npm rather than an unverifiable binary. However, it routes Branch authentication and API traffic through Membrane as an intermediary, uses an unpinned `@latest` CLI command in places, and shows notable documentation mismatch around what 'Branch' service is being integrated. This looks more like a third-party managed connector than a direct Branch skill, creating medium security risk but not clear malware evidence.