coupa-pay
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill utilizes the @membranehq/cli Node.js package, which is the official command-line interface provided by the vendor for platform interactions.\n- [COMMAND_EXECUTION]: The integration relies on the membrane command to perform authentication, connection management, and API execution. These commands are restricted to the context of the service integration.\n- [PROMPT_INJECTION]: The skill ingests data from external Coupa Pay API endpoints via the membrane action run and membrane request commands. While it lacks explicit boundary markers for the data returned from these calls, it implements best practices by routing all sensitive operations through a secure platform proxy that manages credentials server-side, effectively reducing the risk of credential theft via indirect injection.
Audit Metadata