ukg-ready
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends the global installation of the '@membranehq/cli' package via NPM. This is a vendor-owned tool used for managing authentication and executing API actions.
- [COMMAND_EXECUTION]: The skill utilizes CLI commands through 'membrane action run' and 'membrane request' to interact with the UKG Ready platform, including operations that read and write sensitive employee information.
- [PROMPT_INJECTION]: An indirect prompt injection surface exists where the agent processes external data.
- Ingestion points: Data fetched from UKG Ready via actions such as 'run-report', 'list-employees', and 'get-attendance-records' (SKILL.md).
- Boundary markers: No delimiters or specific 'ignore embedded instructions' warnings are provided for the ingested data.
- Capability inventory: The skill has the ability to write to the system (e.g., 'create-employee', 'update-employee') and perform arbitrary proxy requests via 'membrane request' (SKILL.md).
- Sanitization: There is no evidence of sanitization, validation, or filtering of the content retrieved from the external API before it is processed by the agent.
Audit Metadata