melo

SUSPICIOUS. The skill is not overt malware, and it uses a plausibly official CLI from npm, but its footprint is inconsistent with its stated Melo purpose and it routes all interaction through Membrane as a third-party intermediary. The strongest concern is purpose mismatch plus indirect remote action generation/execution; overall this is a medium-risk skill rather than confirmed malicious content.