Genderize

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed Genderize integration that sends names through Membrane for gender prediction, with no evidence of hidden or destructive behavior.

Install this only if you are comfortable using Membrane and Genderize for submitted names. Avoid sending confidential customer lists, HR data, minors' data, or other sensitive personal data unless you have permission and have reviewed the relevant third-party terms.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents authentication and network-based connection setup but does not warn that user data and prompts may be transmitted to external services and browser-based auth flows. In an agent setting, omission of an explicit disclosure can lead to unintentional sharing of names or other sensitive data with third parties.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The proxy section enables arbitrary direct requests to the external API through Membrane without guardrails or warnings about data disclosure, endpoint misuse, or unintended side effects. Even if Genderize is relatively low risk, exposing raw request capability in a skill increases the chance of sending sensitive data externally or invoking unsupported operations without user awareness.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal