hibob

SUSPICIOUS: The skill is broadly aligned with its stated HiBob integration purpose and uses a legitimate npm-distributed CLI, so it does not look malicious. However, all access is mediated through Membrane rather than direct HiBob APIs, the agent must trust a third-party CLI/service with authentication and HR data, and the skill enables high-impact HR actions; this makes it medium risk despite coherent purpose.