neon-one

SUSPICIOUS. The core capability is coherent for a Neon One integration, and the CLI install path appears to be the publisher's official npm package. The main risk is data-flow integrity: Neon One access is routed through Membrane's proxy and credential-management layer rather than directly to official Neon One APIs, creating third-party visibility into API traffic and auth. This is not clearly malicious, but it is a meaningful trust expansion that users should understand.