sapling

SUSPICIOUS: The skill is internally coherent for a Membrane-published Sapling integration and uses an official npm-distributed CLI, so it does not look overtly malicious. However, all Sapling authentication and request traffic is mediated through Membrane rather than going directly to Sapling, which introduces meaningful third-party data-flow and trust risk for sensitive HR data.