chatwoot
Pass
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage from the NPM registry. This is a vendor-owned package associated with the skill's authoring organization. - [COMMAND_EXECUTION]: The skill uses the
membraneCLI to perform operations such as user authentication (membrane login), managing connections (membrane connect), and executing actions (membrane action run). These are standard operational commands for the platform. - [REMOTE_CODE_EXECUTION]: The
membrane action createcommand utilizes natural language descriptions to generate and deploy new logic on the Membrane platform. While this involves remote code generation, it is a primary functional feature of the service described in the skill. - [PROMPT_INJECTION]: The skill processes untrusted data from Chatwoot conversations and contacts, which presents an indirect prompt injection surface.
- Ingestion points: External messages, customer records, and conversation history are ingested via Chatwoot actions.
- Boundary markers: No explicit delimiters or boundary markers for untrusted content are specified in the usage instructions.
- Capability inventory: The skill has the capability to execute shell commands (via CLI), perform network operations, and dynamically generate new actions.
- Sanitization: There is no mention of sanitization, filtering, or validation of the data retrieved from Chatwoot.
Audit Metadata