Niftyimages

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate NiftyImages integration, but it gives an agent broad authenticated account access, including raw create/update/delete API requests without clear safety limits.

Install only if you trust Membrane and want an agent to operate your NiftyImages account. Prefer listed Membrane actions over raw proxy requests, explicitly approve any create, update, delete, or account-management operation, and revoke the Membrane connection when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The proxy request section explicitly enables arbitrary HTTP methods including POST, PUT, PATCH, and DELETE, but does not warn that these can modify or destroy remote data. In an agent setting, that omission increases the chance the agent will issue state-changing API calls without adequate user confirmation or safety checks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal