melissa-data

SUSPICIOUS: The skill is mostly purpose-aligned and uses an official npm-distributed first-party CLI, so it does not look malicious. However, it centralizes Melissa authentication and data operations through Membrane rather than Melissa’s official API endpoints, creating a third-party credential/data mediation layer with moderate trust and privacy risk; the unpinned global CLI install adds low supply-chain risk.