performyard
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@membranehq/clipackage from the official npm registry. This is a legitimate dependency provided by the vendor (Membrane) to enable the skill's functionality.\n- [COMMAND_EXECUTION]: The skill uses various shell commands through themembraneCLI, such asmembrane login,membrane connect, andmembrane action run, to manage authentication and interact with the PerformYard API. These operations are essential to the primary purpose of the skill.\n- [PROMPT_INJECTION]: The skill retrieves performance data, review cycles, and form templates from PerformYard. This data is ingested into the agent's context, creating a surface for indirect prompt injection if external records contain malicious instructions. This is an inherent risk of data-processing skills and is handled within standard safety guidelines.
Audit Metadata