lob

SUSPICIOUS. The skill is broadly coherent as a Lob integration helper, and the CLI install source is legitimate npm rather than an unverifiable binary. However, the skill materially changes the trust model by routing authentication and API traffic through Membrane, a third-party intermediary, so credentials and Lob data do not flow directly to official Lob endpoints. That intermediary design is disclosed and may be intentional, but it is still a meaningful data-flow and credential-forwarding risk beyond a simple Lob connector.