usersketch

SUSPICIOUS. The skill is not overtly malicious and uses a legitimate npm-published CLI, but its actual footprint depends on a third-party intermediary (Membrane) for auth and all API access, and the claimed target service is ambiguous because the skill name and linked official docs do not match. The install source is reasonably trustworthy, yet purpose-capability alignment and data-flow integrity are only partially coherent.