currencyapi
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@membranehq/cliglobal npm package, which is the official tool provided by the vendor. - [COMMAND_EXECUTION]: The skill executes various
membraneCLI commands to handle user login, search for connectors, and run currency conversion actions. - [PROMPT_INJECTION]: The skill ingests external data from the Currencyapi service, creating an indirect prompt injection surface. * Ingestion points: Untrusted currency data is fetched via the
membrane action runandmembrane requestcommands. * Boundary markers: Absent; the skill does not specify delimiters to isolate external data from instructions. * Capability inventory: The skill can execute shell commands through the Membrane CLI. * Sanitization: Absent; no validation or sanitization of the API response content is described.
Audit Metadata