easypost

SUSPICIOUS: The skill is internally coherent as a Membrane-based EasyPost integration, and the install source appears legitimate. Main risk comes from third-party mediation through Membrane, unpinned CLI installation, and the ability to trigger real-world shipping actions; this is more a trust-boundary and execution-scope concern than confirmed malware.