phonecom

SUSPICIOUS. The skill is coherent for Phone.com management, and the CLI install source appears same-vendor and official via npm, so this is not overtly malicious. However, the actual data flow routes Phone.com access through Membrane's proxy and CLI rather than direct official Phone.com API calls, creating third-party credential/data mediation risk; combined with unpinned npm and `npx @latest`, this makes the skill medium risk.