ukg-pro-hcm

SUSPICIOUS. The skill’s capabilities are broadly aligned with its UKG integration purpose, and the install path uses an official npm package rather than a raw downloader. However, it routes sensitive HR data and authentication through Membrane instead of direct UKG APIs, relies on a third-party CLI/service trust chain, uses an unpinned `@latest` install, and can dynamically create new actions. This is not confirmed malware, but it carries meaningful security and privacy risk due to credential/data mediation and expanded trust boundaries.