thoughtly

SUSPICIOUS: the skill’s broad purpose matches its capabilities, and the CLI install path is from an official registry, but the integration is mediated through Membrane as a third-party proxy rather than using Thoughtly’s official API directly. The incorrect claim that Thoughtly lacks public developer docs weakens trust and makes the data-routing design look unnecessarily intermediary-heavy. Overall this is not confirmed malware, but it carries moderate security risk due to third-party credential/data handling and unpinned CLI execution.