kvk

SUSPICIOUS: the core function is coherent as a KVK integration, and the CLI install path is reasonably legitimate via npm, but the skill materially shifts trust and data flow from official KVK APIs to Membrane as an intermediary. That makes it higher risk than a direct API integration, though not malicious based on the provided evidence.