sonarcloud

SUSPICIOUS: The skill’s purpose and capabilities are mostly coherent, and the CLI comes from a normal npm package source rather than a suspicious installer. However, all SonarCloud access and auth are funneled through Membrane instead of official SonarCloud APIs, introducing a third-party credential/data mediation layer that is materially riskier than a direct integration.