onepagecrm

SUSPICIOUS: The skill’s purpose and capabilities are mostly coherent, and the CLI install source appears legitimate and same-vendor via npm. The main concern is data-flow integrity: all OnePageCRM access and credential handling are routed through Membrane rather than directly to OnePageCRM, which is disclosed but introduces a third-party intermediary for both data and auth. This is not fundamentally incompatible with the skill’s stated purpose, so it does not rise to malicious, but it carries medium risk due to credential/data centralization and the unpinned `npx @latest` example.