t2m-url-shortener

SUSPICIOUS. The skill's capabilities broadly match its stated T2M integration purpose, and the CLI comes from an official npm package tied to the same vendor. However, all authentication and API activity are routed through Membrane as a third-party intermediary rather than directly to T2M, and the skill asks the agent to install and trust that external CLI with mutable latest-tag execution. This is not confirmed malicious, but it introduces medium risk through credential forwarding and proxy-style data flow.