10duke

SUSPICIOUS. The skill is broadly aligned with its stated 10Duke integration purpose and uses an official-seeming Membrane CLI from npm, so it is not clearly malicious. The main concern is data-flow integrity: authentication and 10Duke access are brokered through Membrane, which stores and refreshes external credentials server-side, creating a third-party trust boundary beyond 10Duke itself. Combined with unpinned `@latest` installs, this makes the skill medium risk but not incompatible with its claimed purpose.