whitesource

SUSPICIOUS. The skill is coherent and not overtly malicious, but it routes WhiteSource authentication and data through Membrane instead of directly to official Mend APIs. That intermediary data flow and third-party credential handling are proportionate to the product design yet still introduce medium security risk; the npm-installed CLI itself appears legitimate but is installed globally at an unpinned latest version.