flexitime

SUSPICIOUS: The skill’s function is coherent at a high level, but it is not a direct Flexitime integration; it requires installing and trusting Membrane’s CLI and routing authentication/data through Membrane-managed services. Because the install path is official npm and there is no clear payload/exfiltration trick, this is not confirmed malware, but the third-party gateway model and mutable CLI installs make the trust boundary materially broader than the stated Flexitime-only purpose.