elastic-path

SUSPICIOUS. The skill's capabilities broadly match its stated Elastic Path integration purpose, and the CLI install path is from an official npm package rather than an opaque binary. However, the skill routes all authenticated Elastic Path activity through Membrane's third-party proxy and account system instead of direct official APIs, creating a meaningful trust-boundary and credential-forwarding concern. This looks more like a managed integration gateway than malware, but the intermediary data flow and unpinned @latest execution make it medium risk rather than benign.