vosfactures

SUSPICIOUS: The skill is mostly coherent for a Membrane-based Vosfactures integration and uses an official npm package rather than a raw downloader. The main concern is data-flow integrity: it requires a Membrane account and routes Vosfactures API access through Membrane’s proxy/connection service, creating additional third-party trust and exposure beyond the official Vosfactures API. This is proportionate to the stated Membrane integration purpose, so it is not malicious, but the intermediary architecture and unpinned `@latest` usage make it medium risk rather than benign.