Geckoboard

Security checks across malware telemetry and agentic risk

Overview

This Geckoboard skill is coherent, but it should be reviewed because it can run authenticated actions that permanently delete or overwrite business dashboard data.

Install only if you trust Membrane and intend to let an agent operate your Geckoboard account. Use the least-privileged account or connection available, verify the @membranehq/cli package before installing, and require explicit confirmation with the exact dataset or dashboard before allowing delete, replace, bulk update, or raw proxy requests.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly advertises destructive actions such as deleting datasets, but it does not instruct the agent to obtain explicit user confirmation before invoking them. In an agent setting, this increases the risk of accidental or overly autonomous destructive operations that can permanently remove business data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal