shortio

SUSPICIOUS: The skill’s capabilities match its stated Short.io purpose and the CLI comes from an official npm package, so this is not overt malware. However, all auth and API traffic are funneled through Membrane rather than directly to Short.io, creating a meaningful third-party credential and data-handling trust dependency; combined with unpinned npm execution, this makes the skill medium risk rather than benign.