shortpixel

SUSPICIOUS: the skill's core function is plausible, and the CLI install path is consistent with an official npm-distributed Membrane tool, but the actual data flow is mediated through Membrane rather than directly to ShortPixel. That intermediary trust model, plus unpinned `@latest` installs and server-side credential handling by a third party, makes the skill medium risk rather than benign.