ngrok

SUSPICIOUS: the skill is coherent as an Ngrok integration, and its install path is an official npm package rather than a raw downloader. However, all access is brokered through Membrane instead of Ngrok's official API, creating a meaningful third-party data and credential-routing trust boundary; combined with an unpinned global CLI install, this makes the skill moderately risky rather than benign.