sorry

SUSPICIOUS. The skill is mostly coherent with its stated purpose and uses a same-vendor CLI from npm, so it is not overtly malicious. However, the target app's official API/docs are not substantiated, and all data/actions are funneled through Membrane as an intermediary, creating medium data-flow and trust risk beyond a direct first-party integration.