ratecard

SUSPICIOUS: The skill's core purpose and capabilities are mostly coherent, and the CLI comes from an official npm package rather than an unverifiable binary. The main concern is data-flow integrity: Ratecard access and authentication are funneled through Membrane as a third-party intermediary, expanding trust beyond the official Ratecard API path. This looks more like a legitimate integration wrapper than malware, but the proxying and mutable CLI install make it medium risk.