gocanvas
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the @membranehq/cli package from NPM. This is an official utility provided by the vendor for managing integrations.
- [COMMAND_EXECUTION]: The skill uses various shell commands through the membrane CLI to perform tasks such as authentication, listing actions, and running GoCanvas operations.
- [PROMPT_INJECTION]: The skill retrieves data from GoCanvas (e.g., submissions, forms, and reference data) which is subsequently processed by the agent. This creates an indirect prompt injection surface where malicious content within the external platform could attempt to influence agent logic. 1. Ingestion points: Data enters the context via membrane action run and membrane request commands in SKILL.md. 2. Boundary markers: No explicit delimiters or instruction-bypass warnings are defined for the retrieved data. 3. Capability inventory: The skill utilizes CLI-based network requests and action execution. 4. Sanitization: No evidence of data sanitization or validation is provided.
Audit Metadata