gopay

SUSPICIOUS: the skill is broadly coherent with its stated GoPay-integration purpose, and the CLI comes from a normal official npm package rather than an unverifiable binary. However, all authentication and GoPay access are brokered through Membrane, so credentials and data flow through a third-party platform rather than directly to official GoPay APIs; combined with mutable `@latest` install and potentially real-world payment actions, this makes the skill medium risk rather than benign.