Cloudbees

Security checks across malware telemetry and agentic risk

Overview

This CloudBees skill appears legitimate, but it gives an agent broad CloudBees change authority without enough built-in safeguards.

Install only if you trust Membrane and intend to let an agent operate on CloudBees resources. Use a least-privilege CloudBees account, avoid production access unless necessary, and require the agent to show the exact resource, action, and expected impact before any create, update, delete, toggle, or raw proxy request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This section lists destructive actions such as deleting environments, flags, and target groups without warning about confirmation, authorization checks, or irreversible effects. In an agent setting, that increases the chance of accidental or overly eager execution of high-impact operations against production CloudBees resources.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The proxy-request guidance encourages direct API access through Membrane but omits warnings that arbitrary requests may transmit sensitive data over the network or bypass safer, constrained pre-built actions. This can lead to unintended disclosure of private CloudBees data or broaden the blast radius of mistakes.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal