promptmateio

SUSPICIOUS. The skill is broadly coherent for a Membrane-published integration and uses an official npm-distributed CLI rather than an unverifiable binary, so this is not strongly indicative of malware. However, the data flow is mediated through Membrane rather than direct Promptmate APIs, Promptmate public API docs are absent, and the proxy/request pattern plus `@latest` usage increase trust and supply-chain risk. Risk is moderate because credentials and API traffic are delegated to a third-party integration platform, but the publisher/tool relationship appears consistent.