mercado-pago

SUSPICIOUS: the skill is coherent with its stated Mercado Pago integration purpose, and the CLI install path appears to be an official npm package rather than an unverifiable binary. However, all access is routed through Membrane as a third-party intermediary, and the skill enables real financial actions with a mutable CLI version and no explicit per-action approval guardrails. This is better classified as a medium-risk third-party brokered integration, not confirmed malware.