shiphero

SUSPICIOUS. The skill's purpose and capabilities are mostly aligned, and the CLI comes from an official npm package tied to the stated vendor, so this is not strong evidence of malware. However, the skill requires a third-party Membrane account, routes ShipHero authentication and data access through Membrane rather than direct official ShipHero APIs, and uses unpinned `@latest` CLI execution; those factors make the trust and data-flow footprint broader than a simple ShipHero integration.