thinq
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the
@membranehq/clipackage from the npm registry. This is the official command-line interface provided by the vendor for managing integrations. - [COMMAND_EXECUTION]: The skill uses the
membraneCLI to perform various tasks, including authenticating users, searching for connectors, and executing actions against the ThinQ API. - [DATA_EXFILTRATION]: Communication with the ThinQ API is performed via a proxy service (
membrane request). This design allows the platform to manage authentication headers and token refreshes server-side, preventing the exposure of API keys in the local environment. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection as it processes and displays data fetched from the external ThinQ API.
- Ingestion points: Untrusted data enters the agent context through the output of CLI commands like
membrane action runandmembrane request(SKILL.md). - Boundary markers: The instructions do not specify the use of delimiters or ignore-instructions to wrap the external API data.
- Capability inventory: The agent has the capability to execute shell commands via the
membraneCLI and make further network requests through the proxy. - Sanitization: There is no explicit evidence of content validation or sanitization performed on the API responses before they are processed by the agent.
Audit Metadata