moov

SUSPICIOUS: The skill is mostly coherent with its stated Moov-integration purpose and uses an official-looking same-vendor CLI from npm, so it does not look overtly malicious. However, all Moov access is routed through Membrane rather than directly to Moov, creating meaningful third-party trust and data-flow risk for payment-related operations, plus mutable @latest install hygiene and the ability to trigger real-world financial actions.