shipperhq

SUSPICIOUS: The skill's purpose and capabilities mostly align, and the CLI comes from an official npm package tied to the same vendor. The main concern is data-flow integrity: ShipperHQ access and auth are routed through Membrane as an intermediary, plus the skill uses mutable @latest installs/execution. This looks like a legitimate integration pattern with medium security risk rather than malware.