sharpspring

SUSPICIOUS. The skill's capabilities mostly match its stated SharpSpring integration purpose, and the install path uses an official npm package rather than a raw downloader. The main risk is architectural: all authentication and API access are mediated by the Membrane CLI/service, so CRM credentials and data depend on a third-party platform outside SharpSpring. Combined with unpinned `@latest` installation and broad proxy request capability, this is medium risk but not clearly malicious.