thanksio

SUSPICIOUS: the skill is mostly coherent with its stated Membrane-based Thanks.io purpose, and the CLI install path appears first-party via npm. However, it routes authentication and operational data through Membrane instead of official Thanks.io APIs and enables autonomous real-world actions like sending mail and gift cards, which raises medium risk despite no clear malware indicators.