deployhq

SUSPICIOUS: the skill is broadly coherent for a DeployHQ integration, but it introduces a meaningful trust boundary by requiring the Membrane CLI and routing DeployHQ authentication and data through Membrane-managed services. This is not confirmed malicious: install source is official npm and capabilities match the stated purpose. Main risks are unpinned CLI installation, third-party credential custody, and operational actions with real-world deployment impact.