harvest

SUSPICIOUS: the skill’s purpose broadly matches Harvest management, and the install path is a normal npm package rather than a raw payload, so this is not confirmed malware. However, it requires trusting the Membrane CLI and backend as an intermediary for authentication, credential storage, dynamic action generation, and all Harvest API operations, which creates medium security risk and a data-flow mismatch versus direct official Harvest API use.