assembla
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the @membranehq/cli Node.js package via npm. This is a vendor-provided tool from Membrane used for managing authentication and integration logic.
- [COMMAND_EXECUTION]: The skill utilizes the membrane command-line interface to interact with the Assembla API. Specific commands include membrane login, membrane connect, and membrane action run to perform project management operations.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from Assembla (such as ticket descriptions and comments) which could contain malicious instructions. 1. Ingestion points: Data is fetched from Assembla via actions defined in SKILL.md like list-tickets and get-ticket. 2. Boundary markers: There are no specified delimiters or instructions to the agent to ignore instructions embedded within the fetched data. 3. Capability inventory: The agent has the ability to execute further API actions and requests using membrane action run and membrane request. 4. Sanitization: The skill does not implement explicit sanitization or validation of the content received from the Assembla API.
Audit Metadata