shortenrest

SUSPICIOUS: the skill’s stated purpose is coherent, and the CLI install source is official npm/vendor-documented, so this is not outright malicious. However, the real integration is with Membrane as an intermediary platform: authentication, stored connections, and action execution all route through Membrane instead of directly to Shorten.REST, and the skill uses unpinned latest CLI execution. That third-party credential/data routing makes the footprint higher-risk than a direct API skill.