graphhopper

SUSPICIOUS: The skill is coherent as a Membrane-based GraphHopper integration, and the CLI install path is a normal official npm package rather than a covert payload. However, it routes authentication and API traffic through Membrane instead of direct GraphHopper APIs, expanding trust and data exposure to a third-party intermediary; this makes it medium risk but not malicious.