smooch

SUSPICIOUS: The skill’s purpose and capabilities mostly align, and the CLI install path is from an official npm package rather than an unverifiable binary. However, the integration routes authentication and Smooch data through Membrane as a third-party intermediary instead of the official Sunshine Conversations API, and the skill explicitly steers users toward that brokered path. This is a coherent product model, not confirmed malware, but it creates medium security risk due to credential/data delegation and an unpinned external CLI dependency.