truora

SUSPICIOUS: the skill is coherent as a Membrane-hosted Truora connector, but its real footprint is broader than a plain Truora integration because all authentication and API activity are mediated by Membrane rather than going to Truora directly. The npm install source is comparatively legitimate, so this is not confirmed malware, but the third-party credential/data routing and unpinned CLI raise medium security concerns.