kombo

SUSPICIOUS: The skill's purpose and capabilities are mostly coherent, and the installer appears to be the official Membrane CLI from npm. The main concern is data-flow integrity: Kombo access and credential handling are routed through Membrane as an intermediary rather than directly to Kombo's official API, which creates meaningful third-party trust and credential-forwarding risk even though it is disclosed. Overall this looks like a legitimate integration pattern with medium security risk, not confirmed malware.