rewardful

SUSPICIOUS: the skill is mostly coherent with its stated Rewardful integration purpose, and the CLI install path is an official npm package from the same ecosystem. However, all authentication and data access are routed through Membrane as a third-party intermediary rather than directly to Rewardful, and the skill encourages remote action creation/execution using mutable `@latest` tooling. This is not clearly malicious, but it introduces medium trust and data-flow risk beyond a direct API integration.