Cloudcart

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward CloudCart integration, but users should treat its write and proxy commands as capable of changing live store data.

Install this only if you want an agent to help manage a CloudCart store through Membrane. Before create, update, or proxy requests, confirm the store, record IDs, fields, and intended effect; prefer read/list/get actions and vetted Membrane actions before raw API calls.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents create and update operations on live e-commerce resources without warning that these actions can modify production store data. In an agent setting, that omission increases the chance of unsafe execution, accidental writes, or unconfirmed state changes to products, orders, customers, categories, and vendors.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The proxy request section enables arbitrary API requests, including destructive HTTP methods, while presenting them as a general fallback without strong guardrails. In context, this can let an agent bypass safer prebuilt actions and perform unintended deletes, updates, or other dangerous calls directly against the remote service.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal