hugging-face
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the
@membranehq/clipackage via NPM. This tool is provided by the vendor to facilitate interaction with their platform. - [COMMAND_EXECUTION]: Several shell commands using the
membraneCLI are used for authentication and task execution. This is the intended method for using the skill. - [PROMPT_INJECTION]: The skill ingests untrusted data from Hugging Face (e.g., repository files and discussions) through actions like
list-repository-filesandget-discussioninSKILL.md. While this represents an indirect prompt injection surface, the skill relies on the Membrane platform for processing and does not perform unsafe local operations with the data. No explicit boundary markers or local sanitization are defined.
Audit Metadata