wavemaker

SUSPICIOUS: The skill is internally coherent as a Membrane-hosted WaveMaker integration and uses an official npm-distributed CLI, so it is not clearly malicious. However, it routes authentication, credentials, and API traffic through Membrane rather than directly to WaveMaker, and it encourages unpinned `npx ...@latest` usage. The main risk is third-party credential/data brokering, not deceptive purpose mismatch.