holded
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage from the NPM registry. This is the official command-line tool for the Membrane platform, which is the service provided by the skill's author. - [COMMAND_EXECUTION]: The skill utilizes the
membraneCLI to perform several operations, including user authentication (membrane login), service connection (membrane connect), and executing API actions (membrane action run). These commands are standard for the intended functionality of the integration. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it ingests and processes data from the Holded API.
- Ingestion points: Data retrieved from
membrane action listandmembrane action run(such as contact details, product descriptions, or task lists) enters the agent's context inSKILL.md. - Boundary markers: The instructions do not define specific delimiters or guardrails to separate external data from the agent's internal logic.
- Capability inventory: The agent has the ability to create new actions (
membrane action create) and execute them (membrane action run), which could be influenced by malicious data in the Holded account. - Sanitization: There is no evidence of explicit sanitization of the data returned by the Membrane CLI before it is processed by the agent.
Audit Metadata