apto-payments

SUSPICIOUS: the skill is internally coherent as a Membrane-mediated Apto integration, but it routes authentication and API traffic through Membrane rather than directly to Apto. The install source is relatively trustworthy (official npm package), so this is not strong evidence of malware; the main risk is third-party credential/data mediation plus mutable `@latest` CLI execution.