vapi

SUSPICIOUS: the skill is coherent as a Membrane-hosted Vapi integration, and the CLI install path is reasonably legitimate, but the actual data flow is through Membrane's intermediary platform rather than direct Vapi APIs. That third-party proxying and connection-based credential handling create medium security risk even without clear malware indicators.