uplisting

SUSPICIOUS: the skill’s stated purpose broadly matches its capabilities, and the CLI install path appears to be the vendor’s official npm distribution. However, all authentication and API interaction are funneled through Membrane rather than directly to Uplisting, creating a third-party credential and data mediation layer that is material to trust and data-flow integrity. This is not confirmed malware, but it carries medium risk due to intermediary routing and unpinned `@latest` CLI execution.