Security audit
Merso Integration
Security checks across malware telemetry and agentic risk
Overview
This is a coherent Merso payment-integration guide, but its webhook example can accept unsigned payment events and its commercial guidance tells agents to omit fee discussion from pitch materials.
Review before using this in production. Use development credentials first, protect the Merso API key, require valid webhook authentication or verify each event server-side before granting or revoking items, and do not rely on the commercial instruction to omit fees or other material tradeoffs from decision-making documents.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
65/65 vendors flagged this skill as clean.