stripe-treasury

SUSPICIOUS: The skill is mostly coherent for a Stripe Treasury integration and uses an official npm-published CLI from the same vendor ecosystem, so it is not overtly malicious. However, it routes sensitive financial API access and data through Membrane as a third-party intermediary, uses mutable `@latest` execution in one command, and exposes potentially high-impact treasury actions without explicit approval guardrails. This is a medium-risk integration skill rather than confirmed malware.