chatbotkit

SUSPICIOUS: The skill’s purpose and capabilities are broadly consistent, and the CLI comes from an official npm package, so this is not overt malware. However, it routes all ChatBotKit access, credentials, and action execution through Membrane as a third-party intermediary rather than ChatBotKit directly, which raises medium risk around data flow integrity and credential custody. Unpinned global CLI installation adds low supply-chain risk.