cobalt-io

SUSPICIOUS: the skill's broad purpose mostly matches its capabilities, and the Membrane CLI appears to be an official same-ecosystem tool from npm. However, the skill routes Cobalt access and authentication through Membrane as an intermediary, uses mutable `@latest` execution, and cites a clearly inconsistent fake-looking Cobalt docs domain (`cobalt.foo`). This is not confirmed malware, but it has meaningful trust and data-flow risk disproportionate to a simple direct Cobalt integration.