ploi

SUSPICIOUS: The skill's purpose and capabilities mostly align, and the install source appears official to Membrane, not an obvious malware lure. However, all Ploi access, auth, and action execution are routed through Membrane instead of Ploi's official direct API, creating a meaningful third-party credential/data trust boundary; combined with mutable `@latest` installs and action auto-generation, this makes the skill medium risk rather than benign.