paved

SUSPICIOUS: the skill is not overt malware and uses an official same-org npm CLI, but its real footprint is a Membrane integration layer more than a direct Paved skill. Requiring a Membrane account, routing auth and data through Membrane, and using unpinned `@latest` commands make the scope and data flow moderately inconsistent with a straightforward Paved-only integration.