tick

SUSPICIOUS: the skill’s core purpose fits Tick integration, and the install path is an official npm package from the same vendor ecosystem. However, all Tick access and authentication are mediated through Membrane rather than direct official Tick APIs, and the skill can create/run remote actions dynamically. This is not clearly malicious, but it meaningfully expands trust and routes credentials/data through a third-party integration platform.