Cometly

Security checks across malware telemetry and agentic risk

Overview

This is a real Cometly integration, but it gives agents broad authenticated API access that can send customer/event data and make write or delete requests without enough confirmation guidance.

Review before installing. Use a least-privileged Cometly/Membrane connection, verify the Membrane CLI package and pinned version before global install, and require explicit approval before any event submission or POST/PUT/PATCH/DELETE/proxy request. Avoid sending unnecessary personal, customer, payment, regulated, or secret data in inputs, query strings, headers, or request bodies.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill prominently documents actions that send tracking, purchase, lead, and signup events to Cometly, but it does not warn that these operations may transmit personal, behavioral, or commercial data to a third-party marketing platform. In an agent setting, that omission increases the risk of users or downstream agents sending sensitive customer data without sufficient confirmation, minimization, or awareness of privacy/compliance implications.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal