charlie
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage from the npm registry. This is the official command-line interface for the Membrane platform, which is the service provider for this skill. Documenting the installation of a vendor's own CLI tool is standard for platform integrations. - [COMMAND_EXECUTION]: The skill uses
membraneCLI commands to perform operations likelogin,connect,action list, andrequest. These commands are scoped to the CharlieHR integration and the Membrane environment. The skill does not perform any arbitrary or hidden shell command execution. - [CREDENTIALS_UNSAFE]: The skill correctly implements secure credential management by using the
membrane connectworkflow. This process handles OAuth and token refreshes server-side. Furthermore, the instructions explicitly include a best practice section advising against asking users for secrets or API keys. - [DATA_EXFILTRATION]: Network communication with the CharlieHR API is routed through the Membrane proxy service (
membrane request). This provides a controlled environment for API interactions and prevents the direct exposure of credentials or unauthorized data transfer to third-party domains.
Audit Metadata