Ikas

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent, but it exposes a broad authenticated Ikas API proxy that can change or delete records without clear safeguards.

Install only if you trust Membrane and are comfortable letting an agent operate against your Ikas account. Prefer the listed Membrane actions over raw proxy requests, use the least-privileged Ikas/Membrane account available, and require explicit confirmation before any non-read-only request or operation involving payments, admins, enrollments, or deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents a generic authenticated proxy request mechanism that supports arbitrary HTTP methods, headers, body data, and path parameters, but it does not warn that this can perform destructive operations against the remote Ikas service. In an agent setting, this expands the action surface from curated operations to effectively unrestricted API access, increasing the risk of unauthorized modification, deletion, or abuse of sensitive records.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal