jobnimbus

SUSPICIOUS: the skill’s purpose broadly matches CRM integration, and the CLI comes from npm rather than an unknown binary source, but the real data flow is through Membrane as a third-party proxy and credential manager instead of directly to JobNimbus. That intermediary architecture is a medium risk trust and data-governance concern, amplified by the unpinned `@latest` install, but there is not enough evidence of overtly malicious behavior.