groundlight
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the '@membranehq/cli' Node.js package. This is a resource provided by the vendor (Membrane) to facilitate interaction with their platform.
- [COMMAND_EXECUTION]: The skill uses the 'membrane' CLI to manage authentication, list actions, and execute requests against the Groundlight API. This includes executing pre-defined actions and making direct HTTP requests via a proxy.
- [PROMPT_INJECTION]: The skill processes data retrieved from Groundlight, an external service, creating a surface for indirect prompt injection. * Ingestion points: Data returned from 'membrane action run' and 'membrane request' in SKILL.md. * Boundary markers: Not present in the instructions. * Capability inventory: Execution of CLI commands and network requests through the 'membrane' tool in SKILL.md. * Sanitization: No explicit sanitization of external API responses is mentioned.
Audit Metadata