shopee

SUSPICIOUS. The skill's core behavior is coherent for a Membrane-hosted Shopee integration, and the CLI comes from an official npm package tied to the same publisher. However, all Shopee auth and data access are routed through Membrane rather than direct Shopee APIs, so the user must trust a third-party gateway with credentials, intents, and retrieved data; combined with a mutable `@latest` global install, this makes it medium risk rather than benign.