vtex

SUSPICIOUS. The skill's purpose and capabilities generally align, and the CLI comes from an official npm package rather than an unknown binary. However, it routes authentication and VTEX operations through Membrane as an intermediary, adding a third-party trust and data-flow layer beyond official VTEX APIs, and it uses unpinned `@latest` installs. This is not confirmed malware, but it carries meaningful security and privacy risk for enterprise commerce data.