wishpond

SUSPICIOUS. The skill is broadly aligned with its stated Wishpond-management purpose and uses an official npm-distributed vendor CLI, so this is not confirmed malware. However, it shifts all Wishpond access and credentials through Membrane rather than direct Wishpond APIs, creating meaningful third-party trust and data-flow risk; combined with mutable `@latest` installs, this makes the skill medium risk rather than benign.