woodpeckerco

SUSPICIOUS: the overall footprint mostly fits a Membrane-based Woodpecker integration, and the CLI comes from an official npm package under the same vendor scope. However, the skill is not a direct Woodpecker integration; it intermediates authentication and data through Membrane, uses mutable `@latest`, stores local CLI secrets, and includes an incorrect 'official docs' link to Woodpecker CI. These inconsistencies and the third-party credential/data routing make it higher-risk than a normal first-party API skill, but not clearly malicious.