peoplehr

SUSPICIOUS: The skill is mostly coherent with its stated PeopleHR integration purpose and uses a verifiable same-org npm CLI, but it introduces a third-party Membrane trust boundary for authentication and all API traffic, plus unpinned CLI execution and a broad proxy feature. This is not clearly malicious, but the indirect data flow and credential delegation make it higher risk than a direct official API integration.