branch
Warn
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to globally install the
@membranehq/clipackage via npm. While this is a tool provided by the vendor, it involves downloading and installing external executable code. - [COMMAND_EXECUTION]:
- The integration relies on executing shell commands through the
membraneCLI tool to perform authentication, connector management, and action execution. - The
membrane requestfeature allows the execution of arbitrary HTTP requests against the Branch API, which could be misused to access or modify data outside the expected scope if the path or parameters are manipulated. - [DATA_EXFILTRATION]: The skill moves data between the local environment and the Branch platform via the Membrane proxy service. This involves network transmission of data that may include sensitive information related to app measurement or workforce management.
- [PROMPT_INJECTION]:
- Deceptive Metadata: There is a mismatch between the skill's primary description (Mobile Measurement and Deep Linking) and the extensive list of entities in the 'Branch Overview' (Shifts, Punches, Wages, Labor Costs). This inconsistency can mislead the agent about the actual capabilities and API surface available at the linked documentation (help.branch.io).
- Indirect Prompt Injection:
- Ingestion points: Untrusted data enters the agent's context through the output of
membrane action runandmembrane requestcommands (SKILL.md). - Boundary markers: The skill lacks explicit delimiters or instructions to the agent to treat API responses as untrusted data.
- Capability inventory: The skill possesses the ability to execute shell commands and perform network operations via the
membraneCLI. - Sanitization: No sanitization or validation logic is defined for the inputs passed to the
--inputflag or the data retrieved from the API.
Audit Metadata