cacoo
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the
membraneCLI to perform operations such as listing connections, searching for actions, and executing API calls. This allows the agent to interact with the Cacoo environment directly from the terminal. - [EXTERNAL_DOWNLOADS]: The skill recommends installing the
@membranehq/clipackage via npm. This is an expected and legitimate dependency provided by the vendor for managing service integrations. - [DATA_EXFILTRATION]: The skill implements a secure connection model where authentication is managed server-side by the Membrane platform. It explicitly instructs the agent never to ask for or store sensitive credentials like API keys locally.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it retrieves data from an external source (Cacoo). Ingestion points: Data returned from
membrane action runormembrane request(e.g., diagram names, metadata). Boundary markers: Not present in the provided instructions. Capability inventory: The agent has the ability to run actions and make requests. Sanitization: No specific filtering logic for external content is described.
Audit Metadata