Jumpcloud

Security checks across malware telemetry and agentic risk

Overview

This JumpCloud skill is not deceptive, but it gives an agent broad identity-management action and raw API authority without clear confirmation guidance for high-impact changes.

Install only if you intend to let the agent operate against a real JumpCloud tenant through Membrane. Before any create, update, delete, policy, command, group membership, or access-control change, require the agent to show the exact action or API request, affected resources, and expected impact, then wait for explicit approval.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill provides detailed instructions for discovering, running, and proxying JumpCloud actions, including potentially destructive administrative operations, but does not warn about sensitivity or require confirmation for write/delete actions. In an identity and device management context, this omission increases the chance that an agent could make harmful changes to users, groups, devices, policies, or authentication-related resources without adequate user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal