Mercado Pago

Security checks across malware telemetry and agentic risk

Overview

This Mercado Pago skill is purpose-aligned, but it needs Review because it gives broad authenticated payment-account control without clear confirmation guardrails for changes.

Install only if you trust Membrane and the npm CLI source. Connect only the intended Mercado Pago account, review any consent scopes, prefer pre-built actions over raw proxy calls, and require the agent to ask before any payment, refund, POST, PUT, PATCH, DELETE, or account-changing operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents a generic proxy request capability that supports mutating HTTP methods like POST, PUT, PATCH, and DELETE without any guardrails, confirmation requirements, or warnings about side effects. In a payments context, this increases the risk of accidental or overly broad data-changing actions such as refunds, order updates, or other financial state changes being executed from ambiguous user requests.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal