removebg

SUSPICIOUS. The core capability matches the stated Remove.bg integration purpose, and the install path is a legitimate npm package rather than a raw download. However, the skill routes authentication and API operations through Membrane instead of directly to Remove.bg, creating a third-party credential/data intermediary and broader trust surface than the description implies; this is moderate security risk, not confirmed malware.