Drata

Security checks across malware telemetry and agentic risk

Overview

This Drata skill is legitimate in purpose, but it gives broad live access to sensitive compliance data and write-capable API paths without enough built-in safety guidance.

Install only if you trust Membrane with Drata access and can connect a least-privileged Drata account. Before any create, update, delete, export, or proxy request, confirm the workspace, exact records, request method, payload, and expected impact.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly documents object creation and raw proxy request capabilities against a sensitive compliance platform, but it does not require confirmation, scoping, or safety guidance before modifying organizational data. In a Drata context, unrestricted write and direct API access can lead to unauthorized changes to controls, risks, vendors, policies, or evidence records, impacting compliance posture and audit integrity.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal