zoho-salesiq
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@membranehq/cliglobal package from the npm registry. This is the official command-line interface for the Membrane platform provided by the vendor. - [COMMAND_EXECUTION]: The skill utilizes several CLI commands such as
membrane login,membrane connect, andmembrane action runto interact with the Zoho SalesIQ API. These commands are standard operations for the platform's workflow and do not involve unauthorized privilege escalation. - [PROMPT_INJECTION]: The skill includes functionality to process data from Zoho SalesIQ, which creates a surface for indirect prompt injection.
- Ingestion points: Visitor messages, chat transcripts, and department data fetched from Zoho SalesIQ via
membrane action run(SKILL.md). - Boundary markers: None explicitly mentioned in the instructions; data is processed as JSON parameters.
- Capability inventory: Shell command execution via the
membraneCLI and dynamic action creation (SKILL.md). - Sanitization: Handled by the Membrane platform's action execution environment.
- [DATA_EXPOSURE]: The skill implements strong security practices by explicitly instructing the user and agent to never store API keys locally, instead delegating credential lifecycle management to the Membrane platform's server-side connection handler.
Audit Metadata