4Demit

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Membrane app-integration skill, but users should supervise any direct proxy requests because they can change remote app data.

Install only if you trust the Membrane connection and are comfortable letting the agent act within that app account’s permissions. Prefer prebuilt Membrane actions, and require explicit confirmation before using proxy requests that create, update, or delete records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The proxy-request section enables arbitrary direct API calls, including mutating HTTP methods like POST, PUT, PATCH, and DELETE, without any warning about confirmation or change control. In an agent setting, this increases the chance of unintended remote state changes, record modification, or deletion if the agent uses the proxy path for underspecified user requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal