heap

SUSPICIOUS: The skill’s capabilities fit its stated Heap-integration purpose, and the CLI install path appears to be the official same-org npm distribution. However, all Heap authentication and data access are funneled through Membrane’s intermediary platform rather than direct Heap APIs, creating moderate trust and data-flow risk. This looks coherent but carries meaningful third-party credential/data handling exposure.