codeq-natural-language-processing-api

SUSPICIOUS. The skill's stated purpose is Codeq API access, but it routes all authentication and API activity through Membrane instead of Codeq's official endpoints. The npm install path itself looks legitimate, so this is not confirmed malware, but the third-party gateway model and mutable latest-version execution make the data flow and trust boundary broader than the description implies.