expofp

SUSPICIOUS: The skill's purpose and capabilities mostly align, and the CLI comes from an official npm package rather than an unknown installer. The main concern is data-flow integrity: ExpoFP authentication and data access are routed through Membrane's infrastructure, which stores and refreshes credentials server-side, so the skill acts as a third-party broker rather than a direct ExpoFP integration. Combined with unpinned `@latest`/`npx` execution, this makes the skill medium risk but not malicious.