ikigai

SUSPICIOUS: the skill’s purpose and capabilities mostly align, and the CLI install comes from the official npm registry with publisher-consistent branding. However, all Ikigai access and credential handling are mediated by Membrane’s proxy/service instead of the vendor API directly, creating third-party data exposure and trust concentration. The unpinned global CLI install and mixed Ikigai domain references add medium supply-chain and data-flow risk, but there is no clear evidence of outright malware or credential theft behavior.