Pipeworx chargebee

Security checks across malware telemetry and agentic risk

Overview

This skill connects an agent to Chargebee customer, subscription, invoice, billing-address, and payment-method data through a third-party MCP gateway without explaining authentication, tenant scope, or data handling.

Install only after confirming who operates the Pipeworx gateway, how your Chargebee account is authenticated, what exact permissions are granted, and whether the integration is read-only. Avoid production customer or payment data until you have clear privacy, retention, and access-control terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises access to customer, subscription, invoice, billing address, and payment-related data through a remote MCP endpoint, but provides no warning about external data transmission, handling of sensitive information, or access-control expectations. This can cause users or downstream agents to expose regulated or confidential customer data to a third-party service without informed consent or appropriate safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal