pipeline-crm

SUSPICIOUS. The skill's broad CRM-management purpose generally matches its capabilities, and the install source is an official npm package consistent with the publisher. However, the actual data flow is not a direct PipelineCRM integration: authentication, credential handling, and API access are mediated by Membrane, a third-party intermediary, including a raw request proxy. That extra trust boundary and unpinned `@latest` example raise medium security concerns even without signs of confirmed malware.