veracode

SUSPICIOUS. The install path for the Membrane CLI appears consistent with Membrane's official distribution, so supply-chain risk is not the main issue. The core concern is data-flow integrity and scope: a Veracode skill should normally authenticate to and call Veracode directly, but this skill requires a separate Membrane account and sends all access through Membrane-managed connections and server-side credential handling. That intermediary architecture is disproportionate to the stated purpose and creates unnecessary third-party visibility into Veracode data and auth flows.