charthop

SUSPICIOUS: the skill is coherent as a ChartHop-via-Membrane integration guide, and the CLI source appears to be an official npm package, so this is not confirmed malware. However, the actual data flow routes authentication, actions, and proxy requests through Membrane rather than directly to ChartHop, creating a meaningful third-party credential/data-handling risk; the unpinned CLI install adds moderate supply-chain risk.