bombora

SUSPICIOUS: the skill’s behavior mostly matches its stated Bombora-integration purpose, and the install path is a normal npm CLI workflow. The main risk is architectural: all auth and API traffic are routed through Membrane rather than directly to Bombora, so credentials and data handling depend on a third-party intermediary; combined with unpinned CLI execution, this raises medium security risk but does not by itself indicate malware.