starshipit

SUSPICIOUS. The skill's capabilities mostly match its purpose, and the install path is an official npm package, so this is not malware-like. However, all authenticated Starshipit access is routed through Membrane rather than directly to Starshipit, creating a meaningful third-party credential and data-flow trust boundary that raises medium security risk.