textanywhere

SUSPICIOUS. The skill’s purpose is coherent, and the CLI source appears to be an official npm-distributed Membrane tool, so this is not outright malicious. However, all TextAnywhere access and credentials are mediated through Membrane’s CLI and proxy rather than direct TextAnywhere APIs, and the use of unpinned `@latest` installs adds supply-chain risk. The footprint is plausible for the stated purpose but introduces a notable third-party trust and data-routing dependency.