semaphoreci

SUSPICIOUS. The skill's functionality is coherent at a high level, but it is not a direct Semaphore integration: it installs and relies on Membrane's CLI/service, requires a Membrane account, and routes Semaphore actions and proxy requests through Membrane-managed infrastructure. Install provenance looks legitimate via npm and same-org branding, so this is not confirmed malware, but the third-party credential custody and intermediary data flow make the skill materially higher risk than a direct Semaphore client.