square

SUSPICIOUS: the skill's general purpose matches Square operations, and the CLI install path is reasonably legitimate, but the core integration is mediated by Membrane rather than direct Square APIs. That intermediary design makes credentials and Square data flow through a third-party platform, which is disproportionate if the user expects a direct Square integration. No confirmed malware or overt credential theft is present, but the proxy/auth model creates medium security risk and trust concerns.