breathe

SUSPICIOUS. The skill’s main behavior is broadly consistent with its stated purpose as a Membrane-based Breathe integration, and the CLI comes from an official npm package rather than an unverifiable binary. However, the skill routes sensitive HR actions and authentication through Membrane as a third-party intermediary, uses an unpinned global install, and contains a clearly incorrect official-docs link. This is not confirmed malware, but it carries meaningful trust and data-flow risk for a credentialed enterprise integration.