finapi

SUSPICIOUS. The skill is broadly coherent for a FinAPI integration, and installation uses an official npm package rather than an unverifiable binary. However, it intermediates sensitive open-banking data and payment-capable actions through Membrane instead of direct FinAPI endpoints, and it enables potentially autonomous real-world financial actions. This is not confirmed malware, but it carries meaningful security risk and should only be used with strict per-action approval and awareness that banking data flows through a third-party platform.