moskit
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@membranehq/clipackage via npm. This is a legitimate dependency provided by the platform vendor (Membrane) to facilitate secure authentication and interaction with connectors.\n- [COMMAND_EXECUTION]: The skill uses themembraneCLI to execute actions and manage connections. These commands are part of the intended functionality for interacting with the Moskit integration and involve standard CLI operations.\n- [PROMPT_INJECTION]: The skill retrieves and processes data from external actions, which introduces a surface for indirect prompt injection.\n - Ingestion points: Untrusted data enters the agent context through the output of
membrane action list(JSON schemas) andmembrane action run(action output from the Moskit service).\n - Boundary markers: There are no explicit delimiters or instructions provided to the agent to treat retrieved content as untrusted data rather than instructions.\n
- Capability inventory: The skill possesses the capability to execute shell commands (via the
membraneCLI), perform network operations, and write data back to the Moskit service.\n - Sanitization: No sanitization, escaping, or validation of the content retrieved from external sources is described in the instructions.\n- [PROMPT_INJECTION]: There is an inconsistency in the skill's metadata. The body of the
SKILL.mdfile describes Moskit as a "session replay and product analytics tool," whereas the YAML frontmatter and the provided overview indicate it is a CRM for managing organizations, activities, and tasks. This discrepancy could lead to the agent misinterpreting the sensitivity or purpose of the data it processes.
Audit Metadata