Api To Every Ecommerce Cart And Marketplace

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Membrane e-commerce connector, but it gives agents broad authenticated access that could change or delete store data without explicit safety controls.

Install only if you trust Membrane and need broad e-commerce API access. Use the least-privileged store or marketplace account available, prefer listed Membrane actions over raw proxy requests, and require explicit confirmation before creating, updating, deleting, publishing, refunding, or bulk-changing any records.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents a generic authenticated proxy request capability that supports mutating HTTP methods like POST, PUT, PATCH, and DELETE, but it does not require confirmation, warn about side effects, or constrain usage to read-only operations. In an agent setting, this increases the risk of unintended or overly broad modifications to connected third-party e-commerce systems, including orders, products, and customer data.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal