gitpod

SUSPICIOUS. The skill’s capabilities mostly match its stated Gitpod-integration purpose, and the CLI comes from npm rather than a raw binary installer. However, all access is mediated through Membrane, which stores and manages Gitpod credentials server-side, creating a third-party credential and data-routing dependency that is broader than a direct Gitpod integration. The risk is mainly trust-boundary and supply-chain related, not confirmed malware.