microsoft-entra-id

SUSPICIOUS: The skill’s capabilities broadly match its stated Entra ID management purpose, and the install source is a legitimate npm package rather than an opaque binary. The main concern is data-flow integrity and scope: authentication, token refresh, and API requests are mediated by Membrane instead of going directly to Microsoft Graph, creating a third-party trust boundary for high-impact identity administration. This is not clearly malicious, but it is a medium-risk enterprise integration skill with disproportionate consequences if misused.