xero
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
membraneCLI tool to execute actions and proxy requests to the Xero API, which is the intended core functionality of the integration.\n- [EXTERNAL_DOWNLOADS]: The skill recommends installing the@membranehq/clipackage from the npm registry. This is a verified resource belonging to the skill's authoring organization.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data from external Xero records (such as invoices, contacts, and transactions) which could contain adversarial instructions.\n - Ingestion points: Data retrieved via actions like
list-invoices,list-contacts, andget-invoiceinSKILL.md.\n - Boundary markers: No delimiters or explicit instructions are present to distinguish between external data and system commands.\n
- Capability inventory: The skill can execute actions via
membrane action runand perform network requests viamembrane requestacross all integration logic.\n - Sanitization: There is no evidence of data sanitization, validation, or escaping logic to prevent malicious content within Xero data from influencing the agent's behavior.
Audit Metadata