Eci Software Solutions

Security checks across malware telemetry and agentic risk

Overview

This ECi integration is plausible, but it can make broad authenticated changes to business records without clear confirmation safeguards.

Install only if you are comfortable connecting ECi through Membrane and giving the agent access to business records. Use a least-privileged ECi/Membrane account, verify or pin the Membrane CLI where practical, and require explicit confirmation before any update, delete, invoice, order, purchase, bulk-change, or raw proxy request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The description is broad enough to trigger on many generic requests involving data, records, or workflows, which increases the chance the skill is invoked outside a clearly intended ECi context. Because the skill can perform reads, updates, and proxy requests against a business system, overbroad routing can lead to unintended access or modification of remote business data.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill advertises update operations and raw proxy request capability without an explicit warning or confirmation requirement for write actions against live business systems. In this context, an agent could modify customers, orders, invoices, items, or purchase records without sufficiently surfacing the risk of destructive or irreversible changes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal