cubicl

SUSPICIOUS: The skill is broadly coherent and uses an official npm-distributed Membrane CLI, so it is not outright malicious. However, it routes Cubicl authentication and data through Membrane instead of Cubicl's official API, creating an intermediary trust and credential/data handling risk; combined with unpinned `@latest` installs, this makes the skill medium risk rather than benign.