sonarcloud

SUSPICIOUS: the skill’s purpose is coherent, and the CLI install path is consistent with the publisher, so this is not obviously malicious. However, the integration routes authentication and API traffic through Membrane rather than directly to SonarCloud, creating a meaningful intermediary trust and data-flow risk; combined with execution of a vendor CLI and an unpinned `npx @latest` example, this makes the skill medium risk rather than benign.