constant-contact

SUSPICIOUS. The skill is internally coherent for a Membrane-hosted Constant Contact integration, and the CLI comes from an official npm package matching the publisher. However, it routes authentication, credential storage, and API activity through Membrane as a third-party intermediary instead of direct Constant Contact APIs, and it uses an unpinned global CLI install. This is not confirmed malware, but it carries medium security/privacy risk due to the added trust boundary and server-side credential handling.