zoho-sign

SUSPICIOUS: The skill’s purpose mostly matches its capabilities, but it routes all Zoho Sign access and authentication through Membrane instead of directly to Zoho’s official APIs. That third-party proxy model and credential handling are disproportionate enough to raise medium risk, though the npm-based install path appears vendor-consistent rather than overtly malicious.