gitea

SUSPICIOUS. The skill’s capabilities broadly match its Gitea-management purpose, and the CLI install path is from an official registry, so this is not overt malware. However, the integration routes Gitea authentication and API traffic through Membrane, a third-party platform, and requires a Membrane account for a Gitea task; that data-flow indirection and credential custody expansion create a medium security risk even though the behavior appears product-consistent rather than deceptive.