xapi

SUSPICIOUS: the skill’s stated purpose matches its capabilities, and the npm install path looks plausible, but its actual footprint is high-risk because it centralizes many external services behind xapi.to, forwards credentials through that intermediary, supports autonomous public posting, and includes a payment flow that can reveal the API key in a URL. This is better classified as a risky proxy/integration skill than malware.