paylocity
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage globally via npm. This is the official command-line interface provided by the vendor (Membrane) to facilitate the integration. - [COMMAND_EXECUTION]: The skill utilizes several
membraneCLI commands (login,connect,action list,action run) to interact with the Paylocity API. These commands are part of the standard operating procedure for the platform and are used to manage authentication and data workflows. - [DATA_EXFILTRATION]: While the skill interacts with sensitive HR and payroll data from Paylocity, it does so through the Membrane platform which manages credentials server-side. There are no patterns indicating the unauthorized transmission of data to third-party or untrusted domains.
- [INDIRECT_PROMPT_INJECTION]: The skill processes external data from Paylocity (e.g., employee records, pay statements). There is a theoretical surface for indirect prompt injection if data retrieved from Paylocity contains malicious instructions, though this is a general risk for any data-integrating skill and is mitigated by the agent's internal safety layers.
Audit Metadata