cincopa
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage. This is a legitimate utility provided by the skill's author to manage platform integrations. - [PROMPT_INJECTION]: The skill processes data retrieved from the external Cincopa API (such as asset metadata and gallery information), which constitutes a potential surface for indirect prompt injection if the external source contains adversarial content.
- Ingestion points: Data returned from actions like
list-assets,list-galleries, andget-gallery-itemsdescribed inSKILL.md. - Boundary markers: None identified in the provided instructions.
- Capability inventory: The skill can execute API requests and Cincopa-specific actions using the
membraneCLI as documented inSKILL.md. - Sanitization: No explicit sanitization or filtering of external data is defined within the skill content.
- [CREDENTIALS_UNSAFE]: The skill demonstrates secure credential handling by using OAuth-based connections (
membrane connect) instead of hardcoding API keys or prompting the user for sensitive tokens.
Audit Metadata