Humanity

Security checks across malware telemetry and agentic risk

Overview

This Humanity skill is a coherent integration, but it gives an agent broad authenticated access to sensitive workforce data with raw write/delete API capability and limited guardrails.

Install only if you are comfortable granting Membrane-mediated access to Humanity HR and workforce data. Use a least-privilege Humanity account where possible, confirm every write/delete/payroll-related operation before it runs, verify raw API paths and record IDs carefully, and revoke the Membrane/Humanity connection when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents a generic authenticated proxy mechanism capable of arbitrary HTTP methods, including POST, PUT, PATCH, and DELETE, without emphasizing that these requests can change or remove remote Humanity data. In an agent setting, this increases the chance of unsafe write operations being performed through broad natural-language instructions or insufficient confirmation before destructive actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal