signrequest

SUSPICIOUS. The skill is mostly coherent with its stated purpose and uses an official npm-distributed CLI, so it does not look malicious. However, it requires a third-party Membrane account/CLI and routes SignRequest authentication and data through Membrane instead of the official SignRequest API, creating moderate trust, credential-forwarding, and data-flow risk.