coupa-pay

SUSPICIOUS. The skill is broadly coherent with its stated Coupa Pay integration purpose and uses an official npm-distributed Membrane CLI, so it does not look like overt malware. The main concern is data-flow integrity: all auth and API traffic are funneled through Membrane as an intermediary instead of a direct Coupa integration, which increases trust and exposure requirements; combined with mutable `@latest`/`npx` execution, this makes the skill medium risk rather than benign.