tmetric
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
@membranehq/clipackage from the NPM registry. This is a vendor-owned resource used to facilitate communication with the Membrane platform. - [COMMAND_EXECUTION]: The instructions involve executing various
membraneCLI commands for authentication (login), connection management (connect), and running integration logic (action run). - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it processes data from external TMetric accounts.
- Ingestion points: External data enters the agent context via the output of
membrane action runcommands. - Boundary markers: The instructions do not specify the use of delimiters or boundary markers to isolate data from TMetric.
- Capability inventory: The agent can execute CLI commands, create new actions, and perform network operations via the Membrane platform.
- Sanitization: No explicit sanitization or validation of the external API responses is mentioned.
Audit Metadata