gift-up
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the official platform CLI (
@membranehq/cli) via NPM. This is a standard practice for the tool's ecosystem and targets a well-known package registry. - [COMMAND_EXECUTION]: The instructions include various
membraneCLI commands for authentication, connection management, and performing API actions. These commands are necessary for the skill's functionality and do not exhibit malicious patterns. - [DATA_EXFILTRATION]: While the skill interacts with the Gift Up! API and can read/write data, it does so through the Membrane proxy service. This uses managed authentication headers and is consistent with the skill's primary purpose of integration with a gift card platform.
- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it ingests data from an external API (Gift Up!).
- Ingestion points: Data retrieved from Gift Up! API (e.g., customer names, gift card details, order notes).
- Boundary markers: None identified in the instructional content.
- Capability inventory: The skill uses the
membraneCLI to execute network requests and administrative actions. - Sanitization: No explicit sanitization or validation of the ingested data is described.
Audit Metadata