u301

SUSPICIOUS. The skill is broadly coherent as a Membrane integration and uses an official npm-distributed CLI, so it is not confirmed malicious. However, it sends authentication and API traffic through Membrane as an intermediary, uses mutable `@latest` installs, and provides weak/unclear evidence that the named U301 target is a well-documented API integration; this makes the data flow and scope moderately risky for an agent skill.