smartreach

SUSPICIOUS. The skill's business purpose is plausible, and the CLI install source appears legitimate, but the integration is not a direct SmartReach client: it requires a Membrane account and routes SmartReach authentication and API traffic through Membrane's infrastructure. That intermediary data flow is the main concern. This looks more like a third-party gateway skill than a native SmartReach integration, so risk is medium even without clear malware indicators.