herobot-chatbot-marketing

The skill is internally coherent as a Membrane-powered HeroBot integration, and the install path is from an official registry. However, it routes authentication and all HeroBot operations through Membrane rather than directly to HeroBot’s official API, creating a meaningful third-party trust and data-flow risk. Overall this is better classified as suspicious/medium risk than malicious.