Fivetran

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Fivetran integration that can make account changes, but the reviewed artifact does not show hidden or malicious behavior.

Install only if you trust Membrane and the npm CLI package. Use a least-privilege Fivetran account, verify the connection and resource IDs before running actions, and require explicit user confirmation before deleting or changing connectors, destinations, or groups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly exposes destructive operations like Delete Connection, Delete Destination, and Delete Group without any accompanying guidance to require user confirmation, scope checks, or preview of the target resource. In an agentic context, this increases the risk that an AI assistant could execute irreversible administrative actions based on ambiguous or misinterpreted user intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal