purple-dot

SUSPICIOUS: The skill is internally coherent and uses a publisher-aligned official CLI, so it is not outright malicious. However, all Purple Dot access and authentication are mediated through Membrane’s third-party platform, and the install path uses unpinned latest CLI execution, creating medium trust and data-flow risk.