lightspeed-vt

SUSPICIOUS: the skill’s core purpose and capabilities mostly align, and the install source appears legitimate via official npm. However, all authentication and API activity are mediated through Membrane rather than direct LightSpeed VT endpoints, creating third-party credential/data handling and logging exposure; combined with unpinned CLI install and natural-language action creation, this is more than low risk but not clearly malicious.