poof
Warn
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains highly contradictory metadata. The YAML frontmatter claims the skill is for managing 'Persons, Organizations, Deals, Leads, Projects, Activities', which are CRM-related entities. However, the body of the skill describes 'Poof' as a 'disappearing message app' similar to Snapchat. This deceptive documentation can lead to user confusion regarding the types of data the skill interacts with.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from external services via the Membrane CLI.
- Ingestion points: Data enters the agent context via the output of
membrane action runandmembrane action listcommands. - Boundary markers: None. There are no instructions to the agent to treat the output of these tools as untrusted or to use delimiters.
- Capability inventory: The skill can execute arbitrary actions via
membrane action run, create new actions viamembrane action create, and perform network-based logins. - Sanitization: None. The skill does not specify any filtering or validation for the data returned by the external actions before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill relies on the execution of the
membraneCLI tool for all its operations, including authentication (membrane login), connection management (membrane connect), and action execution (membrane action run). - [EXTERNAL_DOWNLOADS]: The instructions direct the user to install a global Node.js package (
@membranehq/cli@latest) from the npm registry to enable the skill's functionality.
Audit Metadata