Checkr

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Checkr integration, but it gives an agent broad authenticated access to sensitive background-check data, including raw write/delete API calls, without enough built-in confirmation guidance.

Review before installing. Use this only with an approved Membrane account and a least-privileged Checkr connection, and require explicit user confirmation before retrieving protected candidate/report details or making any create, update, delete, invitation, or workflow-changing request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly documents use of a generic proxy request interface supporting POST, PUT, PATCH, and DELETE against the Checkr API without requiring confirmation, guardrails, or warnings about modifying sensitive background-check data. In a high-sensitivity HR context, this increases the risk that an agent could perform destructive or privacy-impacting operations through raw API calls that bypass safer prebuilt actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal