cubejs
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the
@membranehq/clipackage globally via npm and usesnpxto run the latest version. These are vendor-owned resources used for the skill's primary interaction with the Cube.js service. - [COMMAND_EXECUTION]: The skill utilizes the
membraneCLI to perform authentication, query data, and manage connections. These operations are restricted to the functionality provided by the CLI and are used as intended for service integration. - [PROMPT_INJECTION]: The skill retrieves data from Cube.js queries and API responses (ingestion points in
SKILL.md). The skill does not define explicit boundary markers or sanitization logic for this data, which could potentially contain instructions if the data source is compromised. However, the agent operates within the constraints of the provided CLI tool, and standard LLM guardrails are expected to mitigate this risk.
Audit Metadata