ramp
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@membranehq/clipackage globally via npm. This is the official command-line tool for the Membrane platform, provided by the skill vendor.\n- [COMMAND_EXECUTION]: Employs themembraneCLI for operations including authentication (membrane login), connection management (membrane connect), and running API actions. These commands are essential for the skill's purpose.\n- [DATA_EXFILTRATION]: Accesses sensitive financial data (transactions, bills, employee records) from the Ramp API. Data transmission is managed through the Membrane proxy, and the skill instructions explicitly advise against requesting user API keys, delegating credential management to the platform.\n- [PROMPT_INJECTION]: The skill presents an architectural surface for indirect prompt injection.\n - Ingestion points: Sensitive data retrieved from the Ramp API (e.g., transaction notes, merchant names) is ingested into the agent's context via
membrane action runandmembrane request.\n - Boundary markers: No specific delimiters or instructions to ignore embedded commands are present in the processing flow.\n
- Capability inventory: The agent can execute further actions and network requests using the
membraneCLI based on the processed data.\n - Sanitization: There is no evidence of explicit sanitization or filtering of external data before it is presented to the agent.
Audit Metadata