big-cartel
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill guides the user to install the
@membranehq/clipackage from NPM, which is the official tool for the Membrane platform provided by the vendor. - [COMMAND_EXECUTION]: Utilizes the
membranecommand-line interface to perform operations such as searching for connectors, establishing connections, and running API actions. This behavior is standard for the skill's intended purpose. - [PROMPT_INJECTION]: The skill processes external data from the Big Cartel API (e.g., products and orders). This constitutes an indirect prompt injection surface. Evidence: 1. Ingestion points: Big Cartel API responses (SKILL.md); 2. Boundary markers: Not explicitly defined in the instructions; 3. Capability inventory: Subprocess execution via the
membraneCLI tool; 4. Sanitization: No explicit sanitization or validation logic is specified in the prompt instructions. This is a common characteristic of data-integrating skills and does not represent an active threat.
Audit Metadata