bugbug

SUSPICIOUS. The skill’s purpose and capabilities are broadly aligned, and the CLI comes from an official npm package tied to the same publisher, so this is not overtly malicious. However, the data flow is mediated through Membrane rather than directly to BugBug, meaning credentials and API activity are entrusted to a third-party platform; combined with mutable @latest installation, this creates medium security risk disproportionate to a simple BugBug integration.