Async Interview

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Async Interview integration, but it gives agents broad authenticated ability to change or delete hiring data without clear confirmation safeguards.

Install only if you are comfortable granting Membrane delegated access to Async Interview. Use a least-privileged account, prefer read/list actions first, and require the agent to show the exact connection, action or endpoint, method, and payload before any create, update, delete, invite, or proxy request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises destructive capabilities such as deleting interviews without any guidance to require user confirmation, preview affected resources, or distinguish read-only from mutating operations. In an agent context, this increases the chance of accidental or unauthorized destructive actions against production hiring data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The proxy feature enables arbitrary direct requests to the external Async Interview API and the documentation frames it as a fallback without warning that user or candidate data will be transmitted to a third-party service. This expands the agent's ability to access or modify external data beyond curated actions, increasing risks of data exfiltration, unintended writes, and privacy-impacting misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal