postmark

SUSPICIOUS. The skill's capabilities fit its stated Postmark purpose, and the CLI install path appears to be an official vendor/npm route, so this is not clearly malicious. However, all Postmark access and credentials are routed through Membrane rather than Postmark's native API, and the skill enables outbound email actions with real-world consequences; combined with an unpinned global CLI install, this makes the overall risk medium.