sumup

SUSPICIOUS. The skill's purpose and capabilities mostly align, and the install path is from official npm, not an opaque binary. However, it routes SumUp authentication and API traffic through Membrane rather than directly to SumUp, creating a third-party credential/data intermediary that is broader than a native integration. This is not confirmed malware, but the mediated data flow and mutable `@latest` usage make it medium risk.