clockodo

SUSPICIOUS: the skill's purpose and capabilities mostly align, and installation uses an official npm package rather than a hidden binary. The main concern is data-flow integrity: all Clockodo access and credential handling are routed through Membrane as a third-party intermediary, which is disclosed but creates a man-in-the-middle trust model compared with Clockodo's direct API. Overall this looks like a legitimate integration skill with medium security risk, not confirmed malware.