softledger

SUSPICIOUS: The skill is broadly coherent with its stated SoftLedger integration purpose, and the install path uses a legitimate npm package rather than a raw download-execute chain. The main concern is data-flow integrity: SoftLedger access is mediated through Membrane infrastructure, so accounting data and auth handling are entrusted to a third-party proxy platform rather than sent directly to SoftLedger. This is not fundamentally incompatible with the skill’s purpose, but it is a meaningful trust and operational risk, amplified by mutable install instructions (`-g` and `@latest`) and the ability to trigger real accounting actions.