ashby

SUSPICIOUS: the skill is internally coherent and uses an official same-org npm CLI, so it does not look malicious. However, it routes Ashby authentication and recruiting data through Membrane as an intermediary and enables write actions against an ATS, creating moderate trust and data-governance risk beyond a direct first-party API integration.