Givingfuel

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate-looking GivingFuel integration, but it gives an agent broad authenticated access to fundraising data and delete/proxy actions without clear confirmation safeguards.

Install only if you trust Membrane and intend to let an agent access GivingFuel. Use the least-privileged GivingFuel account available, verify the connection and target records before use, require explicit approval before create, update, delete, broad export, or raw proxy requests, and revoke the Membrane connection when it is no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill advertises a destructive delete capability without any guidance to obtain explicit user confirmation or perform a safety check before execution. In a fundraising platform context, accidental or overly eager deletion of coupons or related configuration could disrupt campaigns, cause financial loss, or remove business-critical data with limited recoverability.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal