documerge

SUSPICIOUS. The skill is internally coherent and uses an official npm-published CLI tied to the same vendor, so it is not outright malicious. However, it routes Documerge access through Membrane’s proxy/service layer instead of directly to Documerge, creating intermediary visibility into requests and auth context, and it uses an unpinned `npx ...@latest` command. Overall this is a medium-risk integration skill with notable third-party trust and data-flow expansion, not confirmed malware.