shipperhq

SUSPICIOUS. The skill's capabilities broadly match its stated ShipperHQ integration purpose, and the CLI comes from an official-looking npm package rather than an unknown installer. However, the core data flow is mediated through Membrane instead of direct ShipperHQ APIs, so credentials and request data are entrusted to a third-party proxy service. This is not clearly malicious, but it meaningfully expands trust and creates medium security risk.