Namely

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Namely HRIS integration, but it gives broad ability to read and change sensitive employee data without clear safeguards.

Install only if you trust Membrane and the Namely connection scope. Use a least-privileged Namely account, verify how to revoke the connection, and require explicit confirmation before any create, update, delete, payroll, profile, or raw proxy request.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This skill documents destructive and sensitive HRIS actions such as profile updates, profile creation, and announcement deletion without requiring confirmation, approval, or clear warnings for high-risk operations. In an HRIS context, these actions can alter employee records, payroll-adjacent data, or internal communications, creating substantial integrity and privacy risk if triggered mistakenly or through prompt manipulation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal