bigbox

SUSPICIOUS. The install path is relatively trustworthy because it uses the vendor-scoped npm package, but the skill’s stated purpose and actual documentation are badly mismatched: BigBox/Box-style storage, Best Buy docs, and Home Depot actions cannot all be correct. The Membrane-mediated auth/data flow is disclosed and may be legitimate for this ecosystem, but it introduces third-party credential/data handling and is harder to justify when the target service itself is unclear.