tmetric

SUSPICIOUS. The skill is coherent with its stated purpose, and the installer appears to be the publisher's official npm-distributed CLI rather than an unverifiable binary. However, all TMetric access is mediated through Membrane instead of direct official API usage, so authentication and data flow through a third-party service; combined with an unpinned global CLI install, this creates moderate security and privacy risk rather than clear malware behavior.