workast

SUSPICIOUS: The skill is broadly aligned with its stated Workast-integration purpose and uses an official same-publisher npm CLI, so this is not outright malicious. However, it routes authentication and Workast API traffic through Membrane as an intermediary, and the mutable `npx ...@latest` path adds supply-chain risk. The footprint is coherent but relies on third-party credential/API mediation rather than direct Workast access, which raises medium security concern.