timekit

SUSPICIOUS. The skill is mostly aligned with its stated Timekit-integration purpose, and the CLI install source appears to be the official vendor package on npm, which lowers supply-chain concern. The main risk is architectural: all authentication and API activity are routed through Membrane as an intermediary, with server-side credential handling and dynamic action creation, so data flow is broader than a direct Timekit integration. This is not clearly malicious, but it is a medium-risk third-party gateway pattern with mutable CLI installation and non-native credential routing.