vanta

SUSPICIOUS: The skill's purpose and capabilities mostly align, and the CLI install path is an official npm package rather than a hidden payload. The main concern is data-flow integrity: Vanta authentication and API traffic are routed through Membrane, a third-party intermediary, instead of directly to Vanta's official API. This is not confirmed malware, but it creates meaningful credential-forwarding and data-exposure risk, amplified by unpinned CLI execution via `@latest`.