tookan

SUSPICIOUS. The skill’s capabilities fit a Tookan integration and the Membrane CLI install path appears same-vendor and legitimate, so this is not malicious. However, it requires a separate Membrane account and routes Tookan API calls and credential handling through Membrane’s proxy instead of directly to Tookan, creating a meaningful third-party data-flow and trust expansion.