pingdom

SUSPICIOUS. The skill’s purpose and capabilities are mostly aligned: it is clearly a Pingdom integration and the listed actions match that purpose. Install trust is moderate: the CLI comes from the official npm registry and appears to be the publisher’s intended tooling, so this is not an obvious malware installer. However, the core data flow is routed through Membrane rather than directly to Pingdom’s official API, meaning Pingdom access and returned data pass through a third-party intermediary. That routing is broader than a simple Pingdom skill needs and creates credential/data exposure risk even though the docs frame it as auth convenience. Scope is otherwise proportionate and there is no evidence of credential-file theft, obfuscation, stealth, exploit tooling, or arbitrary exfiltration endpoints. Overall this looks coherent but introduces medium risk because of intermediary-controlled API access and mutable CLI usage.