phyllo
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage from the public NPM registry. This package belongs to the skill vendor and is used to facilitate communication with the platform. - [COMMAND_EXECUTION]: The skill utilizes several CLI commands (e.g.,
membrane connect,membrane action run) to interact with Phyllo. These commands are standard for the tool's operation and are used to discover and execute platform actions. - [DATA_EXFILTRATION]: Authentication is handled via
membrane login, which uses a secure OAuth-style flow. The instructions explicitly advise against requesting sensitive keys from the user, ensuring credentials are managed server-side by the vendor's platform. - [SAFE]: The skill's behavior is consistent with its stated purpose as a data connectivity integration, and it exclusively uses vendor-owned resources for its operations.
Audit Metadata