sonatype

SUSPICIOUS: The skill’s capabilities broadly match its Sonatype integration purpose, and the CLI install source appears to be the publisher’s official npm package. However, the integration is not a direct Sonatype skill in practice: it requires a separate Membrane account and routes Sonatype authentication and API traffic through Membrane’s proxy, creating a third-party credential and data mediation layer. That makes the footprint somewhat disproportionate to the stated purpose and introduces meaningful data-flow and trust risk, but not enough evidence for malicious classification.