pandoc

SUSPICIOUS: The document-conversion purpose is coherent, and requested scope is narrow, but the skill’s zero-setup behavior relies on automatically downloading and executing a repackaged pandoc binary through x-cmd rather than using upstream pandoc or a standard registry/package-manager path. That creates a meaningful supply-chain trust gap without clear evidence of malicious intent.