marvel
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage globally via npm. This is the official command-line interface provided by the skill author for interacting with their platform. - [COMMAND_EXECUTION]: The instructions involve executing shell commands using the
membraneCLI, includinglogin,connect, andaction run. These commands are standard for managing authentication and executing platform tasks. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it handles user-provided input in commands:
- Ingestion points: User-supplied strings are passed to the
--intentflag inmembrane action listand the--inputflag inmembrane action runwithinSKILL.md. - Boundary markers: Examples in the documentation do not explicitly demonstrate the use of delimiters or 'ignore' instructions for the interpolated user content.
- Capability inventory: The skill can execute actions on the Marvel API and create new functional actions via the
membraneCLI as described inSKILL.md. - Sanitization: Documentation does not specify client-side sanitization; validation is expected to be managed by the Membrane platform.
Audit Metadata