sonarcloud
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill leverages Membrane's managed authentication platform, which ensures that no sensitive SonarCloud API keys or credentials need to be handled by the user or stored in local environments.\n- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@membranehq/clipackage. This is an official tool provided by the skill's author (Membrane) and is necessary for interacting with the service.\n- [COMMAND_EXECUTION]: The skill provides instructions for using themembraneCLI to perform actions such as connecting to services and executing API requests to SonarCloud.\n- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it retrieves data from external SonarCloud projects (such as issue descriptions) which could contain attacker-controlled instructions.\n - Ingestion points: Untrusted data is ingested via the SonarCloud API through
membrane action runandmembrane requestcalls (SKILL.md).\n - Boundary markers: There are no specific delimiters or instructions provided to the agent to ignore or treat external data as untrusted.\n
- Capability inventory: The skill allows the agent to execute commands via the
membraneCLI to modify project settings or create issues (SKILL.md).\n - Sanitization: No explicit sanitization or validation of the retrieved API data is documented in the skill instructions.
Audit Metadata