postmark

SUSPICIOUS. The skill's capabilities mostly match its stated Postmark integration purpose, and the CLI install path is relatively trustworthy via npm. The main concern is data-flow integrity: instead of authenticating and calling Postmark directly, the skill requires a Membrane account and routes requests and credentials through Membrane as an intermediary, adding a disproportionate trust dependency for an email integration. Because it can also send emails, misuse could have real-world impact. Not clearly malicious, but medium risk due to credential/data brokering through a third party and outbound-action capability.