3dcart

The skill is mostly coherent with its stated purpose and uses an official npm-distributed CLI from the same publisher ecosystem, so it is not overtly malicious. The main risk is architectural: 3dcart authentication and data operations are routed through Membrane as a third-party intermediary instead of directly to 3dcart, which creates moderate trust and data-handling exposure. Overall verdict: SUSPICIOUS due to intermediary credential/data routing, but not malicious.