zoho-bugtracker
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill documentation describes standard interactions with Zoho Bugtracker via the Membrane CLI. No malicious code, hardcoded credentials, or obfuscation were found.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of the @membranehq/cli global npm package. This is a recognized vendor resource from the skill author and is necessary for the skill's operation.
- [COMMAND_EXECUTION]: The skill instructs the agent to run membrane CLI commands to manage connections and actions. These are legitimate uses of the tool for the stated purpose.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface. 1. Ingestion points: Data fetched from Zoho Bugtracker via actions like list-bugs and get-bug in SKILL.md. 2. Boundary markers: No delimiters or specific instructions to ignore embedded commands are present in the documentation. 3. Capability inventory: The skill can perform write/delete actions (create-bug, update-project, delete-bug) via membrane action run as documented in SKILL.md. 4. Sanitization: No sanitization of external content is mentioned.
Audit Metadata