ukg-pro

SUSPICIOUS: The skill is coherent as a UKG automation wrapper, but it relies on a third-party intermediary (Membrane) for authentication and data access instead of direct UKG APIs. Install source is relatively trustworthy and same-vendor via npm, so this is not strong malware evidence, but the unpinned CLI execution and credential/data routing through Membrane create a meaningful medium security risk.