q2

SUSPICIOUS: The skill's purpose and capabilities mostly align, and the CLI comes from an official npm package documented by the same vendor, so this is not outright malicious. However, the skill routes Q2 authentication and API traffic through Membrane as a third-party intermediary and includes mutable `@latest` execution, creating medium security risk from credential/data mediation and external tool trust.