Digital Ocean

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking DigitalOcean management skill, but it needs review because it can create, delete, and proxy authenticated cloud API actions without explicit confirmation safeguards.

Install only if you trust Membrane with access to your DigitalOcean account. Use least-privileged access where possible, verify or pin the CLI version, and require explicit confirmation with exact resource IDs before any create, update, delete, or raw proxy request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises destructive delete actions without any warning, confirmation requirement, or safety guidance. In a cloud-management context, this increases the chance that an agent or user invokes irreversible operations that delete production infrastructure, causing service disruption or data loss.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal