verve

SUSPICIOUS. The skill's capabilities broadly match its stated Verve integration purpose, and installation uses an official npm package rather than a raw downloader. However, it requires trusting Membrane as a third-party intermediary for authentication, credential storage, and proxied API traffic instead of using Verve's official APIs directly, which creates medium security risk despite no clear malicious behavior.