docx-to-markdown

SUSPICIOUS: the core capability is benign and mostly local, but the skill is not internally coherent. Its install/runtime story conflicts between pandoc and a Node-based converter, and the recommended `ck init`/`install.sh` path is broader than necessary for a simple DOCX-to-Markdown task. No clear credential theft or exfiltration is present, so this looks more like an over-scoped, inconsistent skill than confirmed malware.