Easysendy

Security checks across malware telemetry and agentic risk

Overview

This EasySendy skill appears legitimate, but it gives an agent broad account-changing powers without clear confirmation rules.

Install only if you trust Membrane and intend to let an agent operate your EasySendy account. Before delete, unsubscribe, bulk import, or proxy API requests, require the agent to show the exact action, target list or subscriber, and payload, then get explicit approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly surfaces destructive operations such as deleting subscribers and lists, but provides no instruction to confirm user intent, warn about irreversibility, or require safeguards before execution. In an agent setting, this increases the chance of unintended destructive actions from ambiguous prompts, misinterpretation, or over-automation, even if the underlying API call is legitimate.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal