semgrep
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use the
membraneCLI for all operations, including authentication (membrane login), service connection (membrane connect), and the execution of Semgrep-specific actions or proxy requests. This is the intended interaction model for the platform. - [EXTERNAL_DOWNLOADS]: The documentation directs the installation of the
@membranehq/clipackage from the NPM registry. This is the official command-line interface provided by the vendor for interacting with their services. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection because its primary function is to ingest and display findings from Semgrep, which may include untrusted content from analyzed codebases (such as code snippets, comments, or metadata).
- Ingestion points: Untrusted data enters the agent context through actions such as
list-findings,list-secrets, andget-scan(located in SKILL.md). - Boundary markers: There are no explicit instructions or delimiters defined to warn the agent to ignore embedded instructions within the findings data.
- Capability inventory: The agent has the capability to execute further shell commands (
membrane action run) and make arbitrary network requests (membrane request) based on the data it processes. - Sanitization: The skill relies on standard JSON output but does not implement semantic filtering to prevent the agent from obeying instructions that might be present in the scan results.
Audit Metadata