smsapi
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@membranehq/cliglobal package from the NPM registry. This tool is the primary interface for the Membrane platform and is a legitimate dependency provided by the vendor. - [COMMAND_EXECUTION]: The instructions utilize the
membranecommand-line utility to perform login, establish connections to SMSAPI, and execute actions. These operations are scoped to the intended functionality of the skill. - [CREDENTIALS_SAFE]: The skill explicitly advises against asking users for API keys or tokens, directing them instead to use the platform's connection manager. This reduces the risk of credential exposure in logs or local configuration files.
- [PROMPT_INJECTION]: The skill acts as an interface for reading external data (SMS messages and contacts), which represents a potential surface for indirect prompt injection. While no specific vulnerabilities were detected, the agent should treat content retrieved from SMSAPI as untrusted data.
Audit Metadata