yumpu

SUSPICIOUS: the skill is purpose-aligned as a Yumpu integration, and its install path appears to use Membrane's official npm CLI, but it routes authenticated Yumpu activity through Membrane's intermediary service rather than directly to Yumpu. That third-party proxy model and mutable `npx @latest` usage create medium security risk, though there is no strong evidence of malware or hidden behavior.