shipday

SUSPICIOUS: The skill is coherent as a Membrane-based Shipday integration and uses an official npm-published CLI, so it does not look like confirmed malware. But it routes authentication and Shipday operations through Membrane rather than Shipday's official API, creating a meaningful third-party data and credential trust concern; combined with mutable `@latest` installs, this makes the skill medium risk rather than benign.