sendcloud

SUSPICIOUS: The skill’s stated Sendcloud purpose is coherent, and the npm-based CLI install is not inherently malicious. However, the integration is materially mediated by Membrane: authentication, credentials, and even raw API requests are routed through a third-party platform rather than direct Sendcloud APIs. That makes the trust boundary broader than the skill description suggests and raises medium risk around credential forwarding and data flow integrity, though there is no clear evidence of malware or overt exfiltration behavior.