semaphoreci

SUSPICIOUS: The skill is internally coherent for a Membrane-published Semaphore integration, and the install path appears official via npm rather than an unverifiable binary. The main risk is architectural: Semaphore authentication, credentials, and data are brokered through Membrane's third-party service and CLI, with mutable @latest installs and the ability to execute workflow actions. This is not clearly malicious, but it meaningfully expands trust and operational impact beyond a direct Semaphore integration.