grab

SUSPICIOUS: the skill's capabilities fit its stated Grab integration purpose, and the CLI source is a legitimate npm package tied to Membrane, not an obviously rogue payload. However, the core data flow routes authentication and API activity through Membrane instead of directly to Grab, and the unpinned `@latest`/`npx` execution path adds supply-chain risk. This looks like a coherent third-party gateway integration, not confirmed malware, but it requires meaningful trust in Membrane as an intermediary.