Announcekit

Security checks across malware telemetry and agentic risk

Overview

This AnnounceKit skill is coherent, but it gives an agent broad ability to create, update, delete, and directly proxy AnnounceKit API requests without requiring confirmation for destructive changes.

Install only if you trust Membrane and intend to let an agent manage AnnounceKit content. Before using it, require the agent to show the exact action, parameters, connection ID, and affected post, label, or roadmap issue before any create, update, delete, or raw proxy request, and use the least-privileged AnnounceKit/Membrane account available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises destructive actions such as deleting posts, labels, and roadmap issues without any guidance to require user confirmation, preview affected resources, or verify intent. In an agentic workflow, this increases the chance of accidental or unauthorized destructive operations, especially when a user request is ambiguous or the agent acts autonomously.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal