gooddata

SUSPICIOUS. The skill's purpose is coherent, and the install source is a legitimate npm package tied to the same product ecosystem, so this is not overt malware. However, it mediates all GoodData access through Membrane rather than official GoodData APIs, forwarding authentication and data to a third-party service, and it relies on mutable `@latest` CLI execution. That makes it a medium-risk integration skill with notable trust and data-flow concerns rather than a benign direct API skill.