Convert XNO Units

SUSPICIOUS: The stated purpose is benign and narrow, but the skill achieves it by executing an unverified, unpinned external npm package (`xno-skills`) that could not be tied to a verifiable publisher or source repository from the provided evidence. No credential theft or malicious data flow is shown, so this is best classified as supply-chain risk rather than confirmed malware.