semgrep

SUSPICIOUS. The skill's capabilities broadly match its stated Semgrep-management purpose, and the CLI install source appears legitimate. The main concern is data-flow integrity: Semgrep authentication and API traffic are routed through Membrane as a third-party intermediary rather than directly to official Semgrep endpoints, which creates elevated trust and credential-brokerage risk. Overall this looks coherent but medium risk due to proxy-mediated access and mutating admin actions.