Skills
skills/membranedev/application-skills/gist/Gen Agent Trust Hub

gist

Warn

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Installs the @membranehq/cli package from the npm registry, which is an official utility provided by the vendor.
  • [COMMAND_EXECUTION]: Executes system-level commands through the membrane utility to manage authentication, connections, and action execution.
  • [PROMPT_INJECTION]: Deceptive metadata is present; the skill is named 'gist' and points to GitHub's Gist API documentation, yet the provided actions (such as 'List Campaigns' and 'List Conversations') belong to the Gist CRM platform. This discrepancy may lead the agent to misidentify the source of data or the scope of its capabilities.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its data handling process. 1. Ingestion points: Data retrieved via the membrane action run command from CRM workspaces. 2. Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands in the fetched data. 3. Capability inventory: The agent can execute shell commands and perform network requests using the membrane CLI tool. 4. Sanitization: There is no evidence that the content returned from external API actions is sanitized or validated before being processed.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 28, 2026, 10:54 PM