bigmailer

SUSPICIOUS. The skill's purpose and capabilities are mostly aligned for a BigMailer integration, and the CLI comes from an official npm package rather than an arbitrary download. The main risk is data-flow and credential trust: instead of calling BigMailer's official API directly, the skill requires a Membrane account and routes auth and operations through Membrane-managed services, creating a third-party intermediary with broad access. This is not confirmed malware, but it is a medium-risk integration pattern with credential-forwarding and mutable CLI concerns.