Campaignhq

Security checks across malware telemetry and agentic risk

Overview

This is a coherent CampaignHQ integration, but it gives an agent live authenticated power to change campaign data and send emails without enough built-in guardrails.

Install only if you trust Membrane and intend to grant CampaignHQ access. Use a least-privileged CampaignHQ account where possible, review the global CLI install, and require explicit confirmation before deleting or changing campaigns, updating contacts, sending emails, or making non-read-only proxy requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises create, update, delete, send, start, pause, resume, and unschedule operations without any warning about irreversible or user-visible consequences. In a political campaign context, these actions can alter contact data, send messages to supporters, or disrupt live outreach, increasing the risk of accidental harmful execution by an agent.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal