popupsmart
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [SAFE]: The skill does not contain any malicious instructions or patterns. It correctly uses the Membrane platform to handle credentials and API communication.
- [EXTERNAL_DOWNLOADS]: The skill instructions include installing the @membranehq/cli package from npm, which is a trusted vendor resource for the Membrane platform.
- [COMMAND_EXECUTION]: The skill uses standard membrane CLI commands to perform authorized actions and proxy requests to the Popupsmart API.
- [SAFE]: A surface for indirect prompt injection exists as the skill ingests data from Popupsmart (ingestion points: action outputs and proxy requests). It has write/execute capabilities via membrane action run. No specific boundary markers or sanitization are mentioned in the text, but the risk is mitigated by the use of structured tool calls and vendor-managed actions.
Audit Metadata