peach

SUSPICIOUS: the skill is mostly coherent with its stated purpose, and the Membrane CLI appears to be an official same-org tool from npm, so this is not strong evidence of malware. However, a Peach skill routes authentication, data access, and actions through Membrane rather than official Peach APIs, creating a third-party credential/data intermediary and broader trust boundary than the skill description implies. Unpinned `@latest` installs add moderate supply-chain risk.