paylocity
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses official platform tools to manage integrations and credentials, reducing the risk of accidental exposure or credential theft.
- [DATA_EXPOSURE]: The skill facilitates access to sensitive payroll and HR data within Paylocity. This behavior is the intended primary purpose of the skill and is performed through a secure proxy (Membrane) that handles authentication.
- [COMMAND_EXECUTION]: Instructions involve the installation and use of the
@membranehq/cliglobal npm package. This is the standard CLI for the Membrane platform authored by the same vendor. - [INDIRECT_PROMPT_INJECTION]: The skill has an inherent attack surface for indirect prompt injection as it processes untrusted data from the Paylocity API.
- Ingestion points: Data enters the agent context through the output of
membrane action runandmembrane requestcommands described inSKILL.md. - Boundary markers: None identified in the provided instructions to help the agent distinguish between its instructions and retrieved data.
- Capability inventory: The skill allows the agent to execute actions that can modify Paylocity data via
membrane action runandmembrane request(documented inSKILL.md). - Sanitization: No specific sanitization or validation of the retrieved API data is mentioned in the skill instructions.
Audit Metadata