Microsoft Power Bi

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Power BI integration, but it gives an agent high-impact Power BI change and delete capability without clear built-in approval safeguards.

Install only if you trust Membrane and are comfortable granting delegated Power BI access. Use a least-privileged Power BI account or workspace where possible, and require the agent to show the exact workspace, dataset, report, user, and intended effect before any create, update, refresh, clone, delete, or proxy request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill documents destructive Power BI operations such as deleting workspaces, datasets, and reports, but provides no guidance to require explicit user confirmation, scope checks, or dry-run behavior before execution. In an agent setting, this increases the risk of accidental or overly broad destructive actions against production BI assets if the agent interprets a user request incorrectly or acts with insufficient safeguards.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal