zoho-recruit
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill utilizes a managed CLI tool provided by the author to handle API interactions, which is the intended and secure usage pattern for this ecosystem.
- [EXTERNAL_DOWNLOADS]: The instructions guide the user to install the official @membranehq/cli package from the NPM registry; as this is a well-known vendor resource, it is considered safe.
- [CREDENTIALS_UNSAFE]: The documentation actively encourages secure credential management by instructing users to avoid manual token handling in favor of the platform's automated connection system.
- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection as it ingests data from the Zoho Recruit API (SKILL.md) without explicit sanitization or boundary markers; however, this is a standard risk for integration skills and is mitigated by the agent's internal safety protocols.
Audit Metadata