taxjar

SUSPICIOUS. The skill is mostly aligned with its stated purpose and uses an official npm-distributed CLI, so this is not strong evidence of malware. However, all TaxJar access and authentication are mediated through Membrane rather than the official TaxJar API, creating third-party credential/data-routing risk, and the mutable `@latest` CLI install adds supply-chain exposure. Overall this looks like a coherent integration skill with medium security risk, not confirmed malicious behavior.