Cinc

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate CINC/Membrane integration, but it can change or delete CRM records through an authenticated account without clear confirmation safeguards.

Review before installing. Use this only if you intend to let an agent operate your CINC account through Membrane, preferably with a least-privileged account. Require explicit approval before creating, updating, deleting, subscribing webhooks, or using raw proxy requests, and confirm the exact lead or record ID before destructive actions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill explicitly documents a destructive `delete-lead` action without any accompanying guidance to require user confirmation, verify authorization, or warn about irreversible effects. In an agent setting, this increases the risk that a model could execute destructive CRM operations from ambiguous or mistaken prompts, causing data loss in production records.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal