yoco

SUSPICIOUS: The skill is broadly aligned with its stated Yoco integration purpose and uses an official Membrane CLI from npm, so it does not look outright malicious. However, it routes Yoco authentication and data through Membrane as an intermediary, uses mutable `@latest` CLI execution, and enables payment-affecting actions plus dynamic action creation, making the trust and data-flow footprint moderately risky for an AI agent skill.