hellosign

SUSPICIOUS: the skill’s purpose matches HelloSign management, and its CLI install path is consistent with the Membrane publisher, so this is not clearly malicious. However, the integration is materially mediated by Membrane rather than direct HelloSign APIs, expanding third-party data access and enabling externally consequential actions like sending or canceling signature requests. Overall this is a coherent but medium-risk proxy-style integration skill.