reflect

SUSPICIOUS. The skill's capabilities broadly match its stated purpose, and the install path uses a legitimate npm package rather than a raw downloader. However, the integration routes Reflect authentication and data through Membrane instead of directly to Reflect, and it asks the agent to execute a third-party CLI with floating latest versions. This looks like a coherent managed-integration skill, but with medium supply-chain and credential-forwarding risk due to intermediary trust and mutable CLI execution.