double

SUSPICIOUS. The skill is broadly coherent with its stated purpose and uses an official npm-published Membrane CLI, so it does not look overtly malicious. However, it requires trusting Membrane as a broker for authentication and all Double operations, uses an unpinned global CLI install, and can create/run account-changing actions through that intermediary service, which raises medium security risk.