Nango

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Nango integration skill that uses Membrane-managed authentication and API access, with broad API capability users should control carefully.

Install only if you intend to let the assistant access Nango through Membrane. Before any create, update, delete, or raw proxy request, confirm the exact connection, endpoint, HTTP method, and expected effect.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The manifest and description frame the skill as managing Nango connections, users, and groups, but the body documents generic action discovery/execution and raw proxy requests to arbitrary Nango API endpoints. This scope expansion can mislead an agent or operator into granting or using broader capabilities than expected, increasing the chance of unintended data access or modification.

Description-Behavior Mismatch

Low

Confidence: 84% confidence
Finding: The manifest and description frame the skill as managing Nango connections, users, and groups, but the body documents generic action discovery/execution and raw proxy requests to arbitrary Nango API endpoints. This scope expansion can mislead an agent or operator into granting or using broader capabilities than expected, increasing the chance of unintended data access or modification.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal