ashby
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the Membrane CLI (@membranehq/cli), which is a legitimate tool provided by the vendor for managing integrations. This is a trusted resource associated with the author.\n- [COMMAND_EXECUTION]: The skill uses the membrane command-line tool for interacting with Ashby data, such as searching for connectors and running actions. These commands are part of the intended functional scope of the integration.\n- [CREDENTIALS_UNSAFE]: The skill follows security best practices by advising users to let the Membrane platform handle credentials server-side, ensuring that sensitive API keys or tokens are not stored or requested locally.\n- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it processes data from an external recruiting platform (Ashby), such as candidate names or job descriptions.\n
- Ingestion points: Data retrieved from Ashby API (e.g., list-candidates, list-jobs, list-applications).\n
- Boundary markers: None explicitly implemented in the skill description.\n
- Capability inventory: The skill can execute actions like creating candidates or updating jobs and can perform arbitrary API requests through the membrane request proxy.\n
- Sanitization: No explicit sanitization or validation measures are described for the external content being processed.
Audit Metadata