Project Broadcast

The skill's documented behavior (using the Membrane CLI to proxy Project Broadcast actions) matches its purpose, but it relies on runtime execution of an external npm CLI (npx @membranehq/cli@latest) and writes/reads local credential files, which carry supply-chain and local-credential considerations the user should understand.

This skill appears to do what it says (use Membrane to talk to Project Broadcast), but be aware of two practical risks: (1) it uses npx @membranehq/cli@latest at runtime which fetches and executes code from the npm registry — consider pinning to a specific version or preinstalling the CLI if you want to reduce supply-chain risk; (2) authentication tokens are stored locally (~/.membrane/credentials.json) and are sensitive — review and protect that file. If you are not comfortable allowing the agent to execute remote CLIs or to use locally stored tokens, avoid installing or require stricter controls (pin CLI version, preinstall the binary, or restrict autonomous invocation). If you trust Membrane and are comfortable with the interactive login flow, the skill is proportionate to its purpose.