async-interview
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs users to install the '@membranehq/cli' package from the npm registry. This is a trusted vendor resource provided by 'membranedev' for interacting with the Membrane platform.
- [COMMAND_EXECUTION]: The skill uses the 'membrane' CLI to perform operations such as 'membrane login', 'membrane action run', and 'membrane request'. these commands are the intended primary mechanism for the skill to manage Async Interview data.
- [PROMPT_INJECTION]: The skill exhibits a potential surface for indirect prompt injection as it ingests data from an external API (Async Interview) that could be controlled by third parties (e.g., candidate profiles or interview responses).
- Ingestion points: Results from 'membrane action run' and 'membrane request' are returned to the agent context.
- Boundary markers: None are explicitly defined in the skill documentation to separate untrusted data from instructions.
- Capability inventory: The skill has the ability to create, update, and delete interview records, as well as send arbitrary HTTP requests via the 'membrane request' command.
- Sanitization: There is no evidence of explicit sanitization or filtering of the external data before it is processed by the agent.
Audit Metadata