zoho-people

SUSPICIOUS: The skill’s purpose and capabilities are broadly coherent for a Zoho People integration, and the CLI install comes from the official npm registry rather than a raw download. However, credentials and data are funneled through Membrane’s platform instead of directly to official Zoho endpoints, creating a third-party mediation layer with broader trust requirements. The risk is elevated by the mutable global `@latest` install and remote action-building model, but there is no clear evidence of credential theft, stealth, or clearly malicious behavior.