ukg-ready

The skill is coherent with its stated UKG Ready integration purpose and uses an official Membrane CLI from npm, so it is not malicious. The main risk is architectural: sensitive UKG authentication and data are routed through Membrane as a third-party intermediary, plus the CLI install is globally unpinned and the skill can trigger real HR actions.