whosonlocation

SUSPICIOUS: The skill’s capabilities broadly match its stated purpose, and the CLI install path is from an official npm package tied to the stated publisher. The main concern is data-flow integrity: authentication and API requests are funneled through Membrane as a third-party intermediary rather than directly to WhosOnLocation, which increases credential and data exposure beyond a direct integration. This is not clearly malicious, but it is medium risk and should only be used if the user accepts Membrane as the trusted broker.