CRMy

Security checks across malware telemetry and agentic risk

Overview

This is a coherent CRMy CRM integration that can make persistent CRM changes, so it should be used with confirmation for writes.

Install this only if you want an assistant to manage CRMy records. Use a trusted CRMy server URL, protect the API key, and ask the assistant to preview and confirm contact creation, account linking, activity logs, deal-stage changes, and bulk updates before writing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill directs the agent to proactively log every meaningful interaction, including calls, meetings, proposals, and deal news, without requiring explicit user confirmation or warning that potentially sensitive business communications will be stored in the CRM. In practice, this can cause confidential relationship details, personal data, or commercially sensitive notes to be persisted unexpectedly, especially because the instruction says 'Don't wait to be asked.'

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The new-lead workflow instructs the agent to create and link multiple CRM records and log meeting details, but it does not require explicit confirmation that these entities should be created and associated. This can lead to unintended persistence of personal or business data, accidental cross-linking of people and companies, and premature creation of sales records that may be inaccurate or privacy-sensitive.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal