document360

SUSPICIOUS. The skill is broadly coherent with its stated purpose and uses an official-looking npm package rather than a hidden installer, so it is not malware-like. However, it routes Document360 authentication and API traffic through Membrane as an intermediary and uses an unpinned CLI install, creating meaningful third-party trust and external-action risk that is higher than a direct official API integration.