judopay

SUSPICIOUS. The skill’s overall purpose is coherent, and the CLI install source is reasonably legitimate via the publisher’s npm package. However, the integration is not a direct Judopay connector: authentication, connections, discovery, and action execution are all routed through Membrane, introducing a third-party control plane for payment-platform access and data. That intermediary model is broader than a simple Judopay skill and creates moderate credential/data-flow risk, though there is no clear evidence of overt malware or covert exfiltration.