spiff

SUSPICIOUS. The skill's purpose broadly matches its capabilities, and it avoids asking for raw Spiff credentials by using an interactive OAuth-style Membrane login. However, it requires installing and trusting a third-party CLI plus routing Spiff data through Membrane's proxy/service layer instead of direct official Spiff API access. That intermediary architecture is disproportionate for a simple integration guide and creates medium supply-chain and data-flow risk, though there is no clear evidence of overtly malicious behavior or credential theft instructions.