signicat

SUSPICIOUS: The skill's purpose and capabilities mostly align, and the CLI install source appears to be the publisher's official npm package. The main concern is data-flow integrity: Signicat authentication and API traffic are routed through Membrane as a third-party intermediary rather than directly to official Signicat endpoints. That makes this a coherent but higher-trust integration pattern, with medium risk driven by proxying and mutable `@latest` installs rather than clear malware behavior.