pdfmonkey

SUSPICIOUS: The skill is coherent for PDFMonkey integration, and the CLI comes from an official npm package tied to the same vendor ecosystem. The main concern is data-flow scope: instead of talking directly to PDFMonkey, the skill routes authentication and actions through Membrane as an intermediary, which increases trust and exposure beyond the named service; combined with an unpinned `@latest` global install, this makes it medium risk rather than benign.