Qualys

Security checks across malware telemetry and agentic risk

Overview

This Qualys skill is mostly transparent and purpose-aligned, but it gives broad authenticated control over a sensitive security platform without enough guardrails for raw API reads, writes, or deletes.

Install only if you trust Membrane with Qualys access. Use a least-privilege Qualys account, confirm before broad exports or any create/update/delete operation, avoid unnecessary raw proxy calls, and treat returned Qualys data as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly encourages direct proxy requests to the Qualys API, which can expose sensitive security data such as asset inventories, detections, vulnerabilities, and remediation details without any caution about minimizing scope, confirming intent, or handling sensitive output safely. In a security-tool integration, this increases the chance that an agent will retrieve or transmit high-value operational data too broadly or unnecessarily.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal