thepeer

SUSPICIOUS: the skill's purpose and capabilities mostly align, and install trust is relatively normal via the official npm package, but data-flow integrity is weaker because all Thepeer access and credential handling are routed through Membrane rather than directly to Thepeer's official API. This is disclosed and plausibly legitimate, so it is not malicious, but the third-party proxy/auth model and unpinned `npx ...@latest` usage make it medium risk.