bloom-credit

SUSPICIOUS: the skill’s capabilities mostly match its stated Bloom Credit integration purpose, and the CLI source is an official npm package tied to the same vendor. The main concern is data-flow integrity: authentication and API traffic are mediated through Membrane rather than going directly to Bloom Credit, creating third-party trust and credential/data forwarding risk; combined with unpinned `@latest`/`npx` execution, this elevates security risk above benign but not to malicious.