cumulio

SUSPICIOUS: The skill’s stated purpose matches its Cumul.io workflow, and the install path uses an official npm package from the same vendor ecosystem, so this is not overt malware. However, the integration is mediated through Membrane rather than direct Cumul.io APIs, requiring users to trust a third-party CLI/service with authentication, connection management, and action execution; combined with mutable `@latest` installation, this makes the skill medium risk rather than benign.