omniconvert

SUSPICIOUS: The skill is internally coherent as a Membrane-based Omniconvert integration, and the CLI comes from an official npm package tied to the publisher. However, all auth and API activity is mediated through Membrane rather than direct Omniconvert endpoints, and the mutable `@latest`/`npx` install pattern adds supply-chain risk. This is not confirmed malware, but it requires trusting a third-party intermediary with credentials and data.