smartcar
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
membranecommand-line interface to perform all vehicle operations (lock, unlock, etc.) and search for actions. This centralizes security and authentication logic within a dedicated tool. - [EXTERNAL_DOWNLOADS]: Instructions include installing the
@membranehq/cliglobal package from the official npm registry. This is the legitimate tool provided by the vendor (Membrane) for this integration. - [CREDENTIALS_UNSAFE]: The skill explicitly advises against asking for or hardcoding API keys, instead using Membrane's connection system to handle OAuth flows and token refreshes securely on the server side.
- [PROMPT_INJECTION]: While the skill processes external data from the Smartcar API (such as vehicle names or status), which presents a theoretical indirect injection surface, no exploitable patterns are present. The skill provides clear instructions on using structured actions which limits this risk.
Audit Metadata