pay-with-bolt

SUSPICIOUS: the skill’s stated Bolt integration is implemented by routing auth and data through Membrane, a third-party intermediary, rather than official Bolt APIs. The install source is legitimate npm and there is no clear malware or stealth behavior, but the extra trust placed in Membrane for credentials, connections, and action execution creates medium security risk and weakens data-flow integrity.