z-api

SUSPICIOUS: the skill is not overtly malicious and uses an official npm-distributed CLI from the same vendor family, but its purpose and data flows are only partially coherent. The biggest issues are the naming/docs mismatch and the fact that all API access and authentication are routed through Membrane rather than directly to the stated service, increasing third-party trust and credential exposure. Overall this looks like a legitimate integration-platform skill with medium security risk, not confirmed malware.