commcare
Pass
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation includes instructions to install the
@membranehq/clipackage globally via NPM. This package is an official tool provided by the skill's author to manage the integration workflow. - [COMMAND_EXECUTION]: The skill describes using the
membranecommand-line tool for authentication (membrane login), connection management (membrane connect), and executing actions (membrane action run). These commands are standard operations within the vendor's ecosystem for interacting with their platform. - [PROMPT_INJECTION]: The skill defines a surface for potential indirect prompt injection as it retrieves data from external CommCare sources (such as form submissions and case records) that may contain untrusted content. If an agent processes this data without sanitization, it could influence downstream logic.
- Ingestion points: Data retrieved via actions like
list-forms,get-form,list-cases, andget-case(SKILL.md). - Boundary markers: None explicitly defined in the provided integration instructions.
- Capability inventory: The agent can perform subsequent network requests and action executions via the
membrane requestandmembrane action runcommands (SKILL.md). - Sanitization: No specific sanitization or filtering logic is mentioned in the setup guidelines.
Audit Metadata