veracode

SUSPICIOUS: The skill's stated purpose matches its capabilities, and installation uses an official npm package rather than a raw binary. The main concern is data flow integrity: Veracode access is mediated by Membrane's backend and proxy, so scan data and auth context pass through a third party instead of directly to Veracode. This is not clearly malicious, but it meaningfully expands trust and should be treated as medium risk.