pitchly

SUSPICIOUS. The skill's purpose and capabilities are mostly coherent, and the CLI comes from an official npm package rather than an unknown binary. However, the skill centralizes Pitchly authentication and API traffic through Membrane's intermediary service instead of Pitchly's native API flow, creating meaningful credential-forwarding and data-flow trust risk; combined with unpinned CLI execution, this makes it medium risk rather than benign.