lighthouse

SUSPICIOUS. The main issue is purpose/data-flow inconsistency: the skill claims Google Lighthouse website auditing but exposes project-management actions and routes all authenticated traffic through Membrane as an intermediary. The npm-installed Membrane CLI appears legitimately published, so this is not confirmed malware, but the misleading purpose and proxy-based credential/data handling make the skill medium-high risk.