Salesforce Pardot

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Salesforce Pardot integration, but it can change or delete marketing records through Membrane, so users should apply normal production-data caution.

Install only if you intend to let Membrane connect to your Salesforce Pardot account. Review the account permissions used for the connection, prefer prebuilt actions over proxy requests, verify record IDs before changes, and require explicit confirmation before create, update, delete, proxy write, or bulk list-membership operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises destructive actions like deleting prospects and lists without requiring confirmation or warning the agent to obtain explicit user approval. In an agentic context, this increases the risk of accidental or unauthorized destructive operations against production marketing data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The proxy request section enables arbitrary direct API calls over the network without warning about possible transmission of sensitive customer, prospect, or system data. Because the proxy can reach endpoints beyond the predefined safe action surface, it expands the chance of overbroad data access, exfiltration, or unintended state changes if used incautiously.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal