Clerk

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Clerk administration skill, but it gives an agent broad identity-management authority without enough safety guidance for destructive actions.

Install only if you intend to let an agent administer Clerk through Membrane. Use a least-privilege or test Clerk connection where possible, require explicit confirmation before deletes, membership changes, session revocations, or raw proxy requests, and review Clerk/Membrane audit and revocation options.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises destructive operations such as delete-user, delete-organization, and revoke-session without any guidance to require explicit user confirmation, authorization checks, or safeguards before execution. In an agentic setting, this increases the chance of accidental or overbroad account-impacting actions, especially because these operations affect identity and access management resources.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal