google-address-validation

SUSPICIOUS: The skill’s stated purpose broadly matches its capabilities, and the CLI comes from an official npm package rather than an obviously malicious source. However, it routes authentication and API activity through Membrane instead of directly to Google, creating a third-party credential/data intermediary, and it uses unpinned `@latest` installs plus dynamic action creation. This is not confirmed malware, but it carries medium security risk due to proxy-style data flow and elevated trust in external CLI/service infrastructure.