Manus

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill connects to Manus through Maton and discloses its sensitive API, file, task, and webhook capabilities.

Install only if you trust Maton and Manus with the prompts, files, task metadata, and outputs you send through the API. Approve create, delete, upload, and webhook actions only after checking the target account and destination URL, and use webhook endpoints you control and trust.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The webhook documentation instructs users to send task lifecycle events to an arbitrary external URL but does not warn that task metadata or outputs may be transmitted off-platform. In a skill that can handle user prompts, files, and agent execution results, this omission can lead to unintended disclosure of sensitive data to third-party endpoints.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal