salesforce-pardot

SUSPICIOUS. The skill’s general purpose matches marketing automation tasks, and the CLI comes from an official same-brand npm package, so this is not confirmed malware. However, the core integration is not a direct Pardot client: it requires a separate Membrane account, routes auth and data through Membrane, and can create remote-built actions. That third-party gateway model makes the data flow and trust footprint larger than the skill’s title suggests, so the skill is internally risky despite plausible documentation.